Piperka blog

Login system redone

This one's (hopefully) a pretty invisible change, but it's a somewhat significant one nonetheless. There's a lot of old code in the web frontend logic. Temporary, quick hacks may have stayed in there for far too long. Yesterday, I fixed one of those.

Prior to this, the authentication was based on a pair of cookies, which had the user name and an unsalted MD5 digest of the password. That's only marginally better than storing the password as plaintext. Retrieving the password from the hash was possible already in 2005, when I wrote the code. In effect, the web server was making your browser broadcast your Piperka account's password with each request.

As of yesterday, the web frontend generates sessions at login time, instead. There's still the potential for intercepting the password during login and for session hijacking, but at least this brings the security up to par with most sites. Which doesn't necessarily say much, sadly. I suppose it was a given in the first place that you shouldn't use a valuable password with Piperka.

If you have any account related problems, don't hesitate to contact me. The new code silently converts old username and password hash cookie based authorizations to use sessions. As far as I can tell, the change went smoothly, expect for the part where Piperka briefly showed www-data as the login name for everyone. But that one was easily fixed.

The passwords are still stored as unsalted hashes in the database but I'll leave improving on that for some other time.

Sun, 05 Jun 2011 09:46:46 UTC