Bentechy66
commented
7 years ago This system is designed for https servers
Open ed588 opened 7 years ago
Bentechy66
commented
7 years ago This system is designed for https servers
oliverh57
commented
7 years ago Hashing the cookie would be of no merit. It is just used as a random string to check that all requests to the reverse proxy PHP are real. In an upcoming release, I want to make cookie change based on the time and the starting auth code.
Another feature required is a sign out button to delete the cookie and close the session.
I will add a section to the readme stating that HTTPS must be used.
Bentechy66
commented
7 years ago I would assume hashing the cookie is to protect against man in the middle attacks.
the way you are handling authentication is by setting a cookie to a string kept in a config file.
this is very insecure and you should use a different method, because anyone who intercepts the cookie knows the authentication secret.
at the very least, you should hash it in some way.