daimian / Tripwire / issues / #101 - Plain text username and password in cookie — Bitbucket

Issue #101 on hold

Former user created an issue 2016-02-20

The 'remember me' feature stores credentials as plain text in a cookie on the users computer that can be stolen and used for unauthorized access. It would be much better to persistent authentication tokens as described in:

https://paragonie.com/blog/2015/04/secure-authentication-php-with-long-term-persistence

Comments (3)

Ashy
- changed status to open
Thanks a lot for pointing that out! We'll have a look at it in coming updates
- 2016-06-25T19:08:01+00:00
Ashy
- marked as bug
- 2016-06-25T19:08:38+00:00
Ashy
- changed status to on hold
- 2016-06-26T12:50:32+00:00
Log in to comment

Assignee: Josh Glassmaker

Type: bug

Priority: minor

Status: on hold

Component: Login

Version: –

Votes: 0

Watchers: 1

Jira: the preferred issue tracker for Bitbucket. Join the team!