Quote:
Originally posted by kÿ®ëë
very good point indeed...another way would be to assign cookies to someone that has a legit password...but then again there is a program (not used by many due to the lack of need) that will find out what the cookie needs to be and fools the server...but since so few servers use this method...this cracking method is not well known....
Kyree
|
Faking cookies... in a non-brute-force manner? Remember, cookies can be traced to a specific account, with a specific credit card attached to it. *I* create the cookie code, and it can be so complex that you can't crack it for years, even with multiple credit-card frauded accounts. All bogus attemps will be in my database, remember (and you don't know if and when they succeed). I'd be really curious how that is circumvented... though I don't use that method. Does this script bypass that? If so, I'm curious.
I never trusted cookies entirely, however; I use a Session ID client-server dialogue to verify any requests I want to be secure (to negate any bogus IP requests). Finally, SSL != secure, only encrypted from a potentially untrusted source.