1. Josh Glassmaker Avatar Josh Glassmaker
  2. Untitled project
  3. Tripwire
  4. Issues

Plain text password saved in cookie

Issue #331 resolved
Former user created an issue

login.php line 38: $password = isset($_REQUEST['password'])?$_REQUEST['password']:(isset($_COOKIE['password'])?$_COOKIE['password']:null);

Is this actually used anywhere? The password is saved as a hash in the database and the check against the hash to login doesn't use it. I don't feel comfortable with my password being passed as plain text anywhere, much less in the cookie.

Comments (2)

  1. Josh Glassmaker repo owner

    This will be changed in the May update.

    But yes right now IF you use the "remember me" option to automatically log you in, the cookie contains your username + password. It is NOT sent plain text however, the cookie is HTTP only and requires SSL - so only something with access to your hard drive could the cookie be read.

    Simply not using the "Remember Me" option would mitigate your concerns.

  3. Log in to comment
Assignee
Type
bug
Priority
major
Status
resolved
Component
Login
Version
0.8.8
Votes
0
Watchers
None
Jira: the preferred issue tracker for Bitbucket. Join the team!