cookie contains fullname and email

gemal · 2007-01-11 09:50:50

Currently when you login you get two cookies. One (txp_name) that contain your full name and one (txp_email) that contains your email.

I’m not sure if it’s a security issue but I dont like having such information inside a cookie that’s set to the domain of which textpattern is installed.

if you fx have textpattern installed in:

www.domainhosting.com/myspace/textpattern

all other users on
www.domainhosting.com

can read the cookies with my emailaddress, or am I wrong?

Cookies should NEVER contain personal information. A ID cookie could be set, so that textpattern would read that cookie and look up any needed information. Or at least a encrypted cookie

ruud · 2007-01-11 10:07:41

The cookie also includes the path to the textpattern installation. Browsers don’t (shouldn’t) send that cookie to other parts of that same domain. So if textpattern is on www.example.com/textpattern, the browser will not reveil the TXP cookie to a webpage at www.example.com/evil

more info

Last edited by ruud (2007-01-11 10:08:33)

gemal · 2007-01-11 10:17:23

ruud wrote:

The cookie also includes the path to the textpattern installation. Browsers don’t (shouldn’t) send that cookie to other parts of that same domain. So if textpattern is on www.example.com/textpattern, the browser will not reveil the TXP cookie to a webpage at www.example.com/evil

I have textpattern installed at www.mydomain.com/bla/textpattern
and if I look at the “txp_email” cookie that domain path is set to “www.mydomain.com/”

The “txp_login” cookie on the other hand is set correct to “www.mydomain.com/bla/textpattern”

If you look at the code it says in publish\comment.php line 238:
setcookie(“txp_email”, $email, $cookietime, “/”);

Mary · 2007-01-11 12:37:56

As far as I know, this is a “remains unchanged since time imemorial” thing, and you’re the first person to care. :)

Observations:

“Cookies should NEVER contain personal information.” The cookie is optional. Don’t set it, then.
There are actually 5 set (which I don’t like either).

Problems:

Doing a key lookup type thing would be terribly impractical.
Cookies being secure requires HTTPS. Encryption is just as easily decrypted.

But yes, the path should be restricted.

RussLipton · 2007-01-17 23:24:39

This might be slightly off-topic, but how secure is Textpattern generally – understanding that it has hardly been a needed emphasis? I ask because I have been asked to do a site for someone who needs a reasonable (not extreme) level of security:

Password access (np, though I realize ign_password_protect doesn’t claim to provide serious security)
No RSS feed (ok, np)
No spidering by unwelcome bots (not sure how well TxP does or what is available plug-in wise)
No successful guessing at URLs of content or ability to get at site search (not sure …)

Appreciate the input about cookies; cookies are, by their nature, not very secure though they can be made somewhat more secure.

Thank you for any advice you can give. I couldn’t find much by searching the forum …

Mary · 2007-01-19 10:14:33

No spidering by unwelcome bots…

A cms really can’t control that very well. You can either hope they’ll identify themselves accurately and respect a robots.txt or the robot-related meta tags, or hope they’ll identify themselves accurately and shut them out with a simple plugin. Either way, if they hide who they are: not much luck keeping them out.

If you really want to keep all unwanted “persons” out of the site entirely – which is what you suggest by the “Password access” necessity? – then use .htaccess to password protect the site.

No successful guessing at URLs of content…

Identifying your referrer accurately + plugin is what that depends upon, if I understand what you’re describing. Same potential problem as with bots.

…or ability to get at site search…

You can turn off search completely, if that’s what you mean (sections tab).

RussLipton · 2007-01-20 23:24:57

Mary – thank you!

Question: is something like this (the Advanced Robots.txt Generator) worth the expense (I know: it probably depends) or is the creation of manual robot files reasonably straightforward … assuming one has about five sites to care for? Hey, it’s ‘advanced’.

ruud · 2007-01-21 00:20:52

Unless you need a really complicated robots.txt file, you can easily write it yourself, see the explanation at wikipedia

Jeremie · 2007-01-21 04:29:35

Writing a robots.txt is very, very simple. Paying $35 for writing one is just outrageous.

Beside, robots.txt are public file. It’s easy to read them on whatever website you want, and see how it’s done ; just in case you don’t understand the 5 lines manual ;-)

Some examples:

http://shadowrun.fr/robots.txt
http://en.wikipedia.org/robots.txt
http://www.microsoft.com/robots.txt
http://www.wired.com/robots.txt
etc.

Last edited by Jeremie (2007-01-21 04:34:43)

Textpattern CMS

Textpattern CMS support forum

#1 2007-01-11 09:50:50

cookie contains fullname and email

#2 2007-01-11 10:07:41

Re: cookie contains fullname and email

#3 2007-01-11 10:17:23

Re: cookie contains fullname and email

#4 2007-01-11 12:37:56

Re: cookie contains fullname and email

#5 2007-01-17 23:24:39

Re: cookie contains fullname and email

#6 2007-01-19 10:14:33

Re: cookie contains fullname and email

#7 2007-01-20 23:24:57

Re: cookie contains fullname and email

#8 2007-01-21 00:20:52

Re: cookie contains fullname and email

#9 2007-01-21 04:29:35

Re: cookie contains fullname and email

Board footer