- From: Aaron Swartz <me@aaronsw.com>
- Date: Tue, 21 Oct 2008 09:52:56 -0400
> As I understand it: As an attacker, I can intercept that "dXN..." > string. Then I can simply make a login POST request myself at any time > in the future, sending the same encrypted string, and will get the > valid login cookies even though I don't know the password. So it > doesn't seem to work very well at keeping me out of the user's > account. Also this seems vulnerable to dictionary attacks, e.g. I can > easily encrypt "user=joesmith01&password=..." for every word in the > dictionary and will probably discover the user's password. I was simplifying; in real life, I expect the server will include a nonce with the form (as a hidden input), which they'll only permit to be used once. (I also expect their cookie will have an ID that maps to the username instead of the actual username. Or they'll just have the cookie encrypted entirely instead of using an HMAC.) This, of course, doesn't affect the HTML spec.
Received on Tuesday, 21 October 2008 06:52:56 UTC