Az

Schriftart wählen

Schriftgröße wählen

Zeilenabstand wählen

Schnellzugriff Verlauf Funktionen
Currently we create the auto-login cookie using the user_id, and a hash of (a) the per-user network_secret and (b) the password_v4 (which is a hash). Someone with access to the database or a backup of it could create login cookies for any user. This is also open to a replay attack. The main issue here is that we never update the network_secret. That can be avoided (in case of the stolen DB) or the window can be shortened (replay attack), with some kind of nonce and a new table: autologin_tok
Mehr hier

Funktionen für switch autologin to token and rotate them.

Merkzettel