maikrowsoft Posted March 13, 2014 Posted March 13, 2014 Just a warning. TheDailyNeopets.com stores user credentials within the cookie as ('tdnuser', 'tdnpassword') and sends them in each request. This is a potential vulnerability because users are then susceptible to anyone sniffing on the network, or if their connection is somehow intercepted. Furthermore, with the password in the cookie, an attacker would not only have access to the user's session but potentially the user's plaintext password. MD5 is not a viable protection here. Consider using tokens instead. Also: I can't seem to tick off any avatars today, is it just me? Was working fine yesterday.
Ian Posted March 13, 2014 Posted March 13, 2014 Thanks for writing in about this. Yes, TDN does store hashed passwords in cookies to keep our users logged in. This is how we remember your credentials. Topic closed. Mouseykins 1
Recommended Posts