Edit - Cryptography Stack Exchange

You are not logged in. Your edit will be placed in a queue until it is peer reviewed.

We welcome edits that make the post easier to understand and more valuable for readers. Because community members review edits, please try to make the post substantially better than how you found it, for example, by fixing grammar or adding additional resources and hyperlinks.

Required fields*

Rev

$\begingroup$ What is gained by tying the session cookie to the user's password in any way? $\endgroup$

Stephen Touset
– Stephen Touset

2014-08-26 23:49:17 +00:00
Commented Aug 26, 2014 at 23:49
$\begingroup$ If the database is exposed (SQL injection, etc.), the attacker cannot generate cookies (unless they know the user's password). I am also assuming the cookies are transported over https. $\endgroup$

smang
– smang

2014-08-26 23:53:07 +00:00
Commented Aug 26, 2014 at 23:53
3

$\begingroup$ That's also possible by storing a random key in the user's cookies and comparing it against the hash of that key in the database. Or by HMACing the session cookie with an in-memory key. $\endgroup$

Stephen Touset
– Stephen Touset

2014-08-27 00:37:56 +00:00
Commented Aug 27, 2014 at 0:37
$\begingroup$ Haha, it seems so simple now. I can't believe I missed that. Thank you! $\endgroup$

smang
– smang

2014-08-27 01:47:32 +00:00
Commented Aug 27, 2014 at 1:47

Add a comment |

Correct minor typos or mistakes
Clarify meaning without changing it
Add related resources or links
Always respect the author’s intent
Don’t use edits to reply to the author