Google Groups Home
Help | Sign in
Twitter Development Talk
Home
+ new post
About this group
Join this group
Message from discussion Sending encoded login details to API
The group you are posting to is a Usenet group. Messages posted to this group will make your email address visible to anyone on the Internet.
Your reply message has not been sent.
Your post was successful
Ed Finkler  
View profile
  More options May 6, 11:02 pm
From: "Ed Finkler" <funkat...@gmail.com>
Date: Tue, 6 May 2008 23:02:32 -0400
Local: Tues, May 6 2008 11:02 pm
Subject: Re: Sending encoded login details to API
Reply to author | Forward | Print | View thread | Show original | Report this message | Find messages by this author
Lemme put on my 10 gallon security "expert" hat here...

Do you really have to store the username and pass in the cookie? Hahlo
is, if I remember, a web app, so you should be able to just store the
username and pass server-side in the session data. The cookie would
only need to store a session ID.

If you really *have* to store your data in the cookie, you should be
able to encrypt your cookie data with a two-way hash. It's not optimal
(you should never store authentication data in the cookie, encrypted
or not), but it will make stealing the data significantly harder.

Does Safari on the iPhone support HTTPS-only cookies? If so, I would
be using those as well (again, if you really HAVE to store usernames
and passwords in the cookie).

Remember that *lots* of (most?) people only use a handful of usernames
and passwords for numerous accounts. A lost iPhone or an unknown XSS
exploit in Hahlo or Twitter could cause big, embarrassing trouble.

You can ping me offlist if you wanted to discuss this further, since
the issues are a bit outside scope.

--
Ed Finkler
http://funkatron.com
AIM: funka7ron
ICQ: 3922133
Skype: funka7ron

On Tue, May 6, 2008 at 9:25 PM, dean.j.robinson

<Dean.J.Robin...@gmail.com> wrote:

>  A couple of days ago, after the launch of Hahlo 3, someone posted that
>  Hahlo is "insecure" because it stores the username/password in a
>  cookie on your iPhone. Personally I think its not that big of an issue
>  (its just a twitter password, its not bank account details or
>  anything), and what he fails to mention is that every twitter iphone
>  app does exactly the same thing.

>  I tried (even though I was doubtful it would work) to md5 the password
>  before saving it in the cookie, which would counteract the "issue".
>  However it then doesn't work when you try to use it to authenticate
>  against the api (as expected)

>  Is there anyway that I can authenticate against the API with something
>  other than the raw password?  ie, can you make it possible to login
>  using an md5 hashed password or something better?

>  Does anyone else have any suggestions?


    Reply to author    Forward  
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
Create a group - Google Groups - Google Home - Terms of Service - Privacy Policy
©2008 Google