Reason to use more cookies than just a session hash for authentication?

Posted by dierre on Stack Overflow See other posts from Stack Overflow or by dierre
Published on 2010-12-27T14:42:49Z Indexed on 2010/12/27 15:54 UTC
Read the original article Hit count: 244

I usually hang out in a community using vBulletin as its bulletin board.

I was looking at what this software saves as cookie in my browser.

alt text

As you can see it saves 6 cookies. Amongst them, what I consider to be important for authentification are:

  1. ngivbsessionhash: hash of the current session
  2. ngivbpassword: hash of the password
  3. ngivbuserid: user's id

Those are my assumptions of course. I don't know for sure if ngilastactivity and ngilastvisit are used for the same reason.

My question is: why use all these cookie for authentication? My guess would be that maybe generating a session hash would be to easy so using the hashedpassword and userid adds security but what about cookie spoofing? I'm basically leaving on the client all fundamental informations.

What do you think?

© Stack Overflow or respective owner

Related posts about php

Related posts about security