There are a lot of funny black hats out there and it’s vital to achieve the maximum possible security when you allow the users to auto-login. There are a lot of possible exploit that a malicious user can use in order to gain access to your user personal data:
- If he has access to your terminal he can open the web browser and use your account (even my cat can do that)
- If you have your hdd shared in an intranet he can steal your cookie and grab your personal data (a user that can open a folder with explorer/finder can do that)
- If you are browsing through an unprotected wifi he can sniff your packets (a user that can download a fucking man-in-the-middle nitfy utility can do that)
- blah blah blah
The lesson is: never store personal data. But this is impossible cause I must identify myself with the site I’m trying to access. Programmer says: store the personal data in the most paranoic obfuscated way.
Pages: 1 2
English
Italiano
2 risposte ↓
1
Ark
il giorno Set 16, 2008 alle 20:04 ha scritto
Use a GUID saved on the database and store that in the Cookie so you can join a GUID with a user
2
programmer
il giorno Set 19, 2008 alle 19:48 ha scritto
I already do something like this. I use the three token with the refresh properties that add the maximum security. They are unique and are strictly binded with the user unique ID on my databases.
As a matter of facts I never expose the real ID but just a a bridge. I’ve added another feature. If a user log with a IP that is geographically distant from the previously used than the cookie is invalidated (not annoying a user that always connect from his home but that has a dynamic IP).
Lascia un commento