Ajedi32
commented
10 years ago Not to mention that we store passwords in the database in plaintext.
Open Ajedi32 opened 11 years ago
Ajedi32
commented
10 years ago Not to mention that we store passwords in the database in plaintext.
Our current login system works by setting a cookie containing nothing but the logged in user's username in plain text. Anyone who wanted to could easily change the username in that cookie to anything they wanted, thereby logging themselves in as any user they want to without needing to enter a password.