True, for our current cookies.
But the cookie shouldn't depend on the password itself. The cookie should be more like a cryptographic hash of something including the hashed password. So sniffing the cookie would not get you very far. You'd have to learn the "secret" string and then reverse a hash function and that would then only get you the hashed password.
The 'login' page should be https://. I've long wanted that. That'd also mean getting rid of the "login nodelet".
Also, a good password hashing function takes significant CPU time. There is a balance to be struck there. Making op=login a very convenient denial-of-service attack point is a bad idea. We might want to implement a "you recently tried to log in (from this IP address or for this username), please wait before trying again" response, which means we only need to worry about attacks from botnets. Surely that would never happen. /:
Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
Read Where should I post X? if you're not absolutely sure you're posting in the right place.
Please read these before you post! —
Posts may use any of the Perl Monks Approved HTML tags:
You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
- a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
Link using PerlMonks shortcuts! What shortcuts can I use for linking?
See Writeup Formatting Tips and other pages linked from there for more info.
| & || & |
| < || < |
| > || > |
| [ || [ |
| ] || ] ||