Welcome to WebmasterWorld Guest from 188.8.131.52
Forum Moderators: open
That's, mildly said, totally unnecessary and a risk one should at the very least be warned of when one signs up so no sensitive password is used here (if there is such a warning, it's not visible enough, I don't remember any)!
Why don't you save the pw as MD5 hash or similar 'one-way encryption' as any basic web security tutorial will implore you?
p.s. nice find though. I'm glad I'm not the only one to analyse cookies. I feel kinda more sane at the minute.
"[The MD5 message-digest algorithm] algorithm takes as input a message of arbitrary length and produces as output a 128-bit "fingerprint" or "message digest" of the input. It is conjectured that it is computationally infeasible to [...] produce any message having a given prespecified target message digest."
That would be as easy as setting the cookie with this...
$cookiepw = md5($password);
...and doing user identification like this...
if ($cookiepw == md5($databasepw))
I use md5 for identification cookies on my own sites and it's being used by default with board systems like vBulletin (who in current versions not even store your password in plaintext in the DATABASE, only as md5-hash, so not even the admin can view your pw). MD5 is also in use in PGP and hundreds of other applications and scripts.
It's really neither insecure nor difficult to implement.