• Welcome to Valhalla Legends Archive.
 

Logon Sequences for Battle.net

Started by shout, July 29, 2004, 05:08 PM

Previous topic - Next topic

Banana fanna fo fanna

Give every person in India a calculator.

ChR0NiC

Quote from: $t0rm on July 30, 2004, 11:27 PM
Give every person in India a calculator.

And a carton of smokes >:(

Adron

Quote from: Arta[vL] on July 30, 2004, 12:19 PM
Adron: That's how I store session cookies already. I don't want to keep sessions open for extended periods of time. The only other option is to automatically log people on, which requires a usable saved password. Even if that method were used, the old problem that having a hash of a password is the same as having the password itsself still applies.

Chronic: None of this applies to normal users.

It's not a session cookie - it's an automatic logon cookie. You can use the same secret for all users, you don't have to store anything extra for each user that would require resources on the server.

The users won't be having a hash of a password, they'll be having a hash of name + time + shared secret. They can't use that to log on as any other user. They also can't obtain the password from the cookie.

Adron

Quote from: Arta[vL] on July 30, 2004, 03:32 PM
It exposes the system to session theft.

This is what people want - the ability to have their computer log them in automatically. That necessarily means that the computer will have whatever token is required to authenticate. And yes, that token could be stolen. Those tokens could be stolen already, from the password cache in IE or whatever corresponding function there is in other browsers.

Since the session cookies are unique to each user, it's not possible to make an attack based on setting the cookie in your domain ahead of time. Since that's impossible, what would remain is to use a cross-site scripting attack. If your site is vulnerable to cross-site scripting, it can be compromised already, so no reason to worry about that any more for this case.

Adron

Quote from: ChR0NiC on July 30, 2004, 12:09 PM
Uh? No offense but any idiot who is lame enough to try and brute force a BNET Docs password seriously needs a life. I don't get what "BAD" they could do with it anyways, other than logging in and viewing the documents that Arta has provided, which can be done by registering their own account.

It's about the principles. The same thing could be used to protect your bank account. Now, do you spot any weaknesses there?

DeTaiLs

Quote from: Adron on July 31, 2004, 07:12 AM
Quote from: ChR0NiC on July 30, 2004, 12:09 PM
Uh? No offense but any idiot who is lame enough to try and brute force a BNET Docs password seriously needs a life. I don't get what "BAD" they could do with it anyways, other than logging in and viewing the documents that Arta has provided, which can be done by registering their own account.

It's about the principles. The same thing could be used to protect your bank account. Now, do you spot any weaknesses there?

actaully not 2 long ago sombody cracked into the visa accounts and they end up having to cancle over a million creidt cards



Blaze

Why not just have no login? Its saves on thinking a secure way...
Quote
Mitosis: Haha, Im great arent I!
hismajesty[yL]: No

|