Reason to use more cookies than just a session hash for authentication?
Posted
by
dierre
on Stack Overflow
See other posts from Stack Overflow
or by dierre
Published on 2010-12-27T14:42:49Z
Indexed on
2010/12/27
15:54 UTC
Read the original article
Hit count: 244
I usually hang out in a community using vBulletin as its bulletin board.
I was looking at what this software saves as cookie in my browser.
As you can see it saves 6 cookies. Amongst them, what I consider to be important for authentification are:
- ngivbsessionhash: hash of the current session
- ngivbpassword: hash of the password
- ngivbuserid: user's id
Those are my assumptions of course. I don't know for sure if ngilastactivity and ngilastvisit are used for the same reason.
My question is: why use all these cookie for authentication? My guess would be that maybe generating a session hash would be to easy so using the hashedpassword and userid adds security but what about cookie spoofing? I'm basically leaving on the client all fundamental informations.
What do you think?
© Stack Overflow or respective owner