maikrowsoft Posted March 13, 2014 Share Posted March 13, 2014 Just a warning. TheDailyNeopets.com stores user credentials within the cookie as ('tdnuser', 'tdnpassword') and sends them in each request. This is a potential vulnerability because users are then susceptible to anyone sniffing on the network, or if their connection is somehow intercepted. Furthermore, with the password in the cookie, an attacker would not only have access to the user's session but potentially the user's plaintext password. MD5 is not a viable protection here. Consider using tokens instead. Also: I can't seem to tick off any avatars today, is it just me? Was working fine yesterday. Link to comment Share on other sites More sharing options...
Ian Posted March 13, 2014 Share Posted March 13, 2014 Thanks for writing in about this. Yes, TDN does store hashed passwords in cookies to keep our users logged in. This is how we remember your credentials. Topic closed. Mouseykins 1 Link to comment Share on other sites More sharing options...
Recommended Posts