Tag: security

No JavaScript, please

The other day I got an email from Axosoft that the payment for my GitKraken license (yes I use GitKraken) was rejected by my credit card company. It was because the card I used there expired, but nonetheless I had to take action.

That involved going on their website and changing my payment method to a card that still worked. It involved first an overwhelmingly complex table like this.

Hash auth

Until now i was planning the blog authorization (which would by the way be used only for the admin area, as no user registration will be left) to be something like the user (that is, myself, considering probably no one else would use the admin area) logs in, i give the user a cookie, everyone’s happy. Usual, isn’t it?

The thing is the content of the cookie. I was thinking that just hashing the login creditentials (that is, what’s stored in the database, eg the email address and the hash of the password) would suffice for authentication, but today a plurk about wireshark made me realize it wouldn’t. So the new method is to hash the ip address of the user in the cookie as well. This way, unless the attacker can somehow get behind the same ip as the original login, even if they had the contents of the cookie, they couldn’t impersonate the logged in user.

Or could they?