17488 Posts in 4473 Topics by 1978 members
|Go to End|
26 August 2007 at 10:02am Last edited: 26 August 2007 10:16am
when the Member is remembered in the browser, the cookie is set in Member:: autoLogin(). This cookie is encoded email and password.
The cookies are unsafe in general, but a little better option is to put some random hash into the cookie, because user's tends to make the same password for more accounts. The cookie can be a pair email:hash, and then the hash need not to be necessary unique.
Google Summer of Code Hacker
27 August 2007 at 2:00am
That's true.. I fixed this already in the GSoC branch a while ago.. I think this branch will go into the 2.1 version.
|Go to Top|