Sending encoded login details to API - Twitter Development Talk

Message from discussion Sending encoded login details to API

Ed Finkler

More options May 7, 8:58 pm

From: "Ed Finkler" <funkat...@gmail.com>

Date: Wed, 7 May 2008 20:58:56 -0400

Local: Wed, May 7 2008 8:58 pm

Subject: Re: Sending encoded login details to API

  Reply to author
  |
  Forward
  | Print
  | View thread
  | Show original
  | Report this message
  | Find messages by this author
  

On Wed, May 7, 2008 at 6:16 PM, Benjamin Tucker <btuc...@gmail.com> wrote:

> Hey Dean,

> I'm the guy that wrote http://stream.btucker.org/post/33710515
> Sorry to miss your post on the list or I would have responded
> sooner.

> Your solution sounds like an improvement, but not ideal. Now if your
> server is compromised, with it will go all your users twitter
> credentials (correct me if I'm misunderstand your solution).

If *any* server is rooted, the attacker can do *whatever they want.*
Stealing data out of session caches is the least of your problems.

SSL is a good idea, yes, but you should *not* be storing this data in
a cookie, period. Dean's current approach has significantly fewer
attack vectors. In addition, if the server is rooted, the attacker
will be able to pull data out of cookies just as easily as cached
session data, as it can simply be examined at the point of decryption
in the web app. No amount of SSL or app-level encryption will mitigate
this.

I'll repeat what I stated before: authentication data should *never*
be stored in cookies.

--
Ed Finkler
http://funkatron.com
AIM: funka7ron
ICQ: 3922133
Skype: funka7ron

Reply to author Forward