You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
cookie security lies entirely with protection and randomness of authkey or gsusecustomsalt, as all other aspects are predictable. ( authkey is also predictable from machine state as it is just sha1 of 22 char mt_rand() at or around install timestamp). It is also not revocable unless salt changes.
lack of entropy in mt_rand ( not cryptographically secure)
We are hashing the cookie name, not sure what thats about, probably an unnecessary obfuscation
We are also salting / hashing the usernames, probably also unnecessary, or rather undesired , or we are going to need multiple auth keys so we are not using the same token for salts and hmac keys.
Ideally we should also have separate salts and hmac keys for each user anyway
cookie security lies entirely with protection and randomness of authkey or gsusecustomsalt, as all other aspects are predictable. ( authkey is also predictable from machine state as it is just sha1 of 22 char mt_rand() at or around install timestamp). It is also not revocable unless salt changes.
The text was updated successfully, but these errors were encountered: