Google Groups Home
Help | Sign in
Twitter Development Talk
Home
+ new post
About this group
Join this group
Message from discussion Sending encoded login details to API
The group you are posting to is a Usenet group. Messages posted to this group will make your email address visible to anyone on the Internet.
Your reply message has not been sent.
Your post was successful
dean.j.robinson  
View profile
  More options May 6, 11:36 pm
From: "dean.j.robinson" <Dean.J.Robin...@gmail.com>
Date: Tue, 6 May 2008 20:36:13 -0700 (PDT)
Local: Tues, May 6 2008 11:36 pm
Subject: Re: Sending encoded login details to API
Reply to author | Forward | Print | View thread | Show original | Report this message | Find messages by this author
Hi Ed,

Thanks for the response, I'm going to have to take a good look at my
auth code, its not something I wrote myself, its a modified script I
got from elsewhere. I should be able to switch it to session data
instead, but I need to make sure I can do it without interuptting my
users too much. Looks like I'm not going to escape from working on
Hahlo just yet.

cheers

On May 7, 1:02 pm, "Ed Finkler" <funkat...@gmail.com> wrote:

> Lemme put on my 10 gallon security "expert" hat here...

> Do you really have to store the username and pass in the cookie? Hahlo
> is, if I remember, a web app, so you should be able to just store the
> username and pass server-side in the session data. The cookie would
> only need to store a session ID.

> If you really *have* to store your data in the cookie, you should be
> able to encrypt your cookie data with a two-way hash. It's not optimal
> (you should never store authentication data in the cookie, encrypted
> or not), but it will make stealing the data significantly harder.

> Does Safari on the iPhone support HTTPS-only cookies? If so, I would
> be using those as well (again, if you really HAVE to store usernames
> and passwords in the cookie).

> Remember that *lots* of (most?) people only use a handful of usernames
> and passwords for numerous accounts. A lost iPhone or an unknown XSS
> exploit in Hahlo or Twitter could cause big, embarrassing trouble.

> You can ping me offlist if you wanted to discuss this further, since
> the issues are a bit outside scope.

> --
> Ed Finklerhttp://funkatron.com
> AIM: funka7ron
> ICQ: 3922133
> Skype: funka7ron

> On Tue, May 6, 2008 at 9:25 PM, dean.j.robinson

> <Dean.J.Robin...@gmail.com> wrote:

> >  A couple of days ago, after the launch of Hahlo 3, someone posted that
> >  Hahlo is "insecure" because it stores the username/password in a
> >  cookie on your iPhone. Personally I think its not that big of an issue
> >  (its just a twitter password, its not bank account details or
> >  anything), and what he fails to mention is that every twitter iphone
> >  app does exactly the same thing.

> >  I tried (even though I was doubtful it would work) to md5 the password
> >  before saving it in the cookie, which would counteract the "issue".
> >  However it then doesn't work when you try to use it to authenticate
> >  against the api (as expected)

> >  Is there anyway that I can authenticate against the API with something
> >  other than the raw password?  ie, can you make it possible to login
> >  using an md5 hashed password or something better?

> >  Does anyone else have any suggestions?


    Reply to author    Forward  
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
Create a group - Google Groups - Google Home - Terms of Service - Privacy Policy
©2008 Google