Cookies April 21, 2002 2:17 PM   Subscribe

I have been reading about cookies, persistent logins, and session management lately and was curious how the MeFi code handles this. (Specifically, persistence of user information across sessions.) I couldn't find a description of this in any old MeTa threads.... [more inside]

posted by finn to MetaFilter-Related at 2:17 PM (4 comments total)

I've been looking at the cookies that MeFi puts on my machine and it appears that they store both customization (fonts, etc.) and user authentication information. Specifically, these three values:

USER_ID <number>

USER_NAME <string>

USER_PASS <encrypted string>

I know that Matt can get the passwords in cleartext since he gave me back my pw when I lost it <g>. So my guess is that when I login, a cookie is placed locally with all the information in cleartext except for the password which is enrypted using some sort of reversable process. Then whenever I come back to the site if the cookie is there the password is unencrypted and the information is used to authenticate me. Is this right? Not that I'm particularly worried about someone stealing my MeFi identity, but this essentially means that by copying my cookie to different computers I could maintain my "logged in" status across them. It functions as a (not very) private key of sorts.
posted by finn at 2:25 PM on April 21, 2002

Some information here.
posted by willnot at 5:04 PM on April 21, 2002

Is this right?
I think so, yes. The cookie password is then unencrypted and sent to you as hidden form variables which you submit with a comment/story.
posted by holloway at 5:52 PM on April 21, 2002

Thanks, willnot. Saw that one when I was looking through old posts. Re-reading the thread, it does appear to answer my questions. Also, my thesis above was semi-confirmed when I transposed characters of the encrypted pw in my cookie and got the posting pages to pop up errors. A quick check shows that passwords are still in cleartext in the source. Riffing off some of the posts in the thread mentioned above: I suppose a (slightly) nicer way to maintain login state between sessions would be to authenticate once from a pervasive cookie over an SSL connection. Then establish a session cookie which would be used only for the rest of the current session. If someone gets your SSL style cookie from your computer, they could fake being you, but they'd have to have access to your computer to do so. This is still pretty half-assed security-wise, but at least your password isn't going over the network in cleartext. Er. Just thinking out loud.
posted by finn at 6:33 PM on April 21, 2002

« Older Best of MeFi   |   Doubleposts? Newer »

You are not logged in, either login or create an account to post comments