| From: | Steve Manes <smanes(at)magpie(dot)com> |
|---|---|
| To: | Bohdan Linda <bohdan(dot)linda(at)seznam(dot)cz> |
| Cc: | pgsql-general(at)postgresql(dot)org |
| Subject: | Re: Password safe web application with postgre |
| Date: | 2008-05-15 16:56:02 |
| Message-ID: | 482C6B22.7030404@magpie.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
Bohdan Linda wrote:
> On Thu, May 15, 2008 at 05:40:49PM +0200, Steve Manes wrote:
>> I keep the user's login credentials in a TripleDES-encrypted,
>> non-persistent cookie, separate from session data.
>
> This is the approach I am/will be heading to. Having the cookie with login
> and password encrypted on user side, HTTPS connection, and what was said
> in previous emails about not storing credentials in cookies any ideas of
> weak sides? Moreover if parts of decryption keys will be unique to the
> sessions and stored in session on a server?
No security is 100% and neither is my solution. Given enough time,
interest and computer time it could be hacked.
But we used similar tamper-proof credentials security on three large,
hacker-infested community web sites which together logged up to .75
billion page views/month. Everything else under the sun got hacked but
this encrypted cookie never was (we had watchdogs sniffing for mangled
cred cookies). It was just too much work.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Craig Ringer | 2008-05-15 16:58:32 | Re: DB Locks |
| Previous Message | Alvaro Herrera | 2008-05-15 16:51:10 | Re: Question on warm standby log shipping |