Plain text password in cookies when logged in? [resolved]

[s3t]

UPD: The issue is resolved.
I have installed several CMS including CMSimple 3.3 - which used the cookies for password storage in plain text. I forgot about it as i deleted it prior ti GetSimple installation, but cookies remained there.


Hi,

First of all, i want to thank the developers of this beatiful thing. I really like the looks, the touch and everything else about this CMS engine. This is the thing i've been looking for years, and now i found it!

I really appreciate the coding with security in mind, so i've opened this topic - about some issue with storage of password in browser cookies.

The better way around is to give "session" ID in cookies + bind this ID to IP and login session (just a timestamp + id value + ip value. when the current time haven't passed a timestamp+4hours, the ip and cookie session do match - the user should stay logged in).
Then, noone will be able to steal the cookies and get full control.
The less favorable way is to keep it in the cookies, but salted and MD5'd. Salted to some random number stored in cookies too, and then MD5'd...

What do you think? Or have i missed something?

Thanks again, you are the best!




//// haha, the thread number is 1337

[s3t]

weird enough i can't recreate this behavior... The cookies seems fine now.

I had a screenshot:


the "passwd=" had my password...

[getsimplethemes]

It sounds really weird, having the unencrypted password stored in the cookie. Any chance you may have looked wrong (no offense intended )?

[s3t]

Well, i've tracked down the issue.
It is the CMSimple 3.3 who stored the password in cookies. - I've tried several CMS solutions before i met GetSimple And the CMSimple stored it's password in cookies.

I'm sorry of ever thinking of your CMS to be the cause

Thanks again for making and supporting this project!