Several XSS security notes

Security drawbacks and proposals

Kilandor	#1809 2008-12-20 13:07
Administrators Bedankt: 9 tijden	How about this for a proposal. There can be some sort of unique value that has nothing to do with password. Say md5($sys['now'].rand(0, 1000)); On login, its stored in a row on the user, thats used for unique identification, instead of throwing the password in the cookie. On logout the field is cleared. And say on a new login, the field is changed, with a new value. This would remove any sort of password in session or cookie, solving the problem. and the salt for the time, can be soemthign more complex. No one would ever be able to just randomly fill in cookies to steal, as witht he salt it would be impossible to get the same 2, as the time changes as well.

Kilandor

#1809 2008-12-20 13:07

How about this for a proposal. There can be some sort of unique value that has nothing to do with password. Say md5($sys['now'].rand(0, 1000)); On login, its stored in a row on the user, thats used for unique identification, instead of throwing the password in the cookie. On logout the field is cleared. And say on a new login, the field is changed, with a new value.

This would remove any sort of password in session or cookie, solving the problem. and the salt for the time, can be soemthign more complex. No one would ever be able to just randomly fill in cookies to steal, as witht he salt it would be impossible to get the same 2, as the time changes as well.