- changed status to open
Plain text username and password in cookie
Issue #101
on hold
The 'remember me' feature stores credentials as plain text in a cookie on the users computer that can be stolen and used for unauthorized access. It would be much better to persistent authentication tokens as described in:
https://paragonie.com/blog/2015/04/secure-authentication-php-with-long-term-persistence
Comments (3)
-
-
- marked as bug
-
- changed status to on hold
- Log in to comment
Thanks a lot for pointing that out! We'll have a look at it in coming updates