search

Xety / Cake3-CookieAuth

A simple Cake 3 plugin to automatically authenticate users with Cookies.
http://xeta.io
MIT License
18 stars 13 forks source link

Security #4

Open davidyell opened 9 years ago

davidyell commented 9 years ago

I thought it was worth mentioning that storing the username and password in the cookie is a huge security risk. You should be using a hash of some description saved in the database.

There are some more details here, http://jaspan.com/improved_persistent_login_cookie_best_practice

Xety commented 9 years ago

Hello,

Yes and no, because the cookies are not stored in clear. They are crypted using the Cookie component. And actually it's not possible to decrypt them if you don't have the hash.

davidyell commented 9 years ago

Ah fair enough, perhaps this is worth a read too, as this functionality might be making it's way into the core in 3.2.

https://github.com/FriendsOfCake/Authenticate/issues/53

Xety commented 9 years ago

Interesting solution, i will let your issue open so when i will got some time, i will work on it.

Thanks you !

kgbph commented 5 years ago

Anyone still working on this?