Discussion:
password in a cookie
srj_lists
2007-11-30 19:03:03 UTC
Permalink
Why is the password to my delicious account stored in a cookie? I was
able to copy my Firefox cookie file from one computer to another and
access my account from the second computer without entering my password.
That doesn't seem very secure. Isn't it possible for a malicious
website to read my delicious cookie and get my password?

Stephen
Toby Elliott
2007-11-30 19:25:32 UTC
Permalink
I think you'll find that this is true for the vast majority of your
cookies.

It is not possible for a malicious website to read your cookies, as
your browser is only sending them to the del.icio.us domain. We spend
a lot of time making sure that the site isn't vulnerable to cross-
site scripting attacks, which would be the most likely path for your
cookies to be compromised. In the unlikely event that a malicious
website does get hold of your cookie, they will have access to your
account, but not your password, which is not part of the cookie.

Regards,
Toby Elliott
del.icio.us
Post by srj_lists
Why is the password to my delicious account stored in a cookie? I was
able to copy my Firefox cookie file from one computer to another and
access my account from the second computer without entering my
password.
That doesn't seem very secure. Isn't it possible for a malicious
website to read my delicious cookie and get my password?
Stephen
[Non-text portions of this message have been removed]
Matthew Weymar
2007-11-30 23:15:14 UTC
Permalink
In case anyone else is curious ...

Changing the email or password associated with your account, and deleting
the account all require you to enter your password, so someone could post to
your account, but not do any of these other things.

I see, too, that my password is not "in" my cookie per se....

Matthew
Post by Toby Elliott
I think you'll find that this is true for the vast majority of your
cookies.
It is not possible for a malicious website to read your cookies, as
your browser is only sending them to the del.icio.us domain. We spend
a lot of time making sure that the site isn't vulnerable to cross-
site scripting attacks, which would be the most likely path for your
cookies to be compromised. In the unlikely event that a malicious
website does get hold of your cookie, they will have access to your
account, but not your password, which is not part of the cookie.
Regards,
Toby Elliott
del.icio.us
Post by srj_lists
Why is the password to my delicious account stored in a cookie? I was
able to copy my Firefox cookie file from one computer to another and
access my account from the second computer without entering my password.
That doesn't seem very secure. Isn't it possible for a malicious
website to read my delicious cookie and get my password?
Stephen
[Non-text portions of this message have been removed]
[Non-text portions of this message have been removed]

Loading...