cookie security

[tablatronix]

cookie security lies entirely with protection and randomness of authkey or gsusecustomsalt, as all other aspects are predictable. ( authkey is also predictable from machine state as it is just sha1 of 22 char mt_rand() at or around install timestamp). It is also not revocable unless salt changes.

• lack of entropy in mt_rand ( not cryptographically secure)
• Uses non delimited concatenation, splice attacks
• uses sha1, subject to length extension attacks
• uses loose typed comparators, datatype conversion spoofing
• contains no time domain limiter, never expires
• contains no password binding, never breaks when passwords change
• sidechannel timing leakage
• session fixation ( not sure how to avoid this stateless )
• weak logouts, no tokens
• Also maybe want to add a public/private computer toggle on checkbox for username and logged in status

[tablatronix]

#844
#799

[tablatronix]

We are hashing the cookie name, not sure what thats about, probably an unnecessary obfuscation

We are also salting / hashing the usernames, probably also unnecessary, or rather undesired , or we are going to need multiple auth keys so we are not using the same token for salts and hmac keys.

Ideally we should also have separate salts and hmac keys for each user anyway

• implement per user keys

[tablatronix]

implementing some examples of better security, test branch

db0db69
1f702ae
fd64668