LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices

Reply
 
Search this Thread
Old 03-29-2009, 03:53 PM   #1
senthilmuthiah
Member
 
Registered: Mar 2009
Distribution: Ubuntu, Fedora
Posts: 56

Rep: Reputation: 16
Wink How does LinuxQuestions.org remember my log in?


I don't know whether I could ask this question or even whether this question is dumb!

I am a member of Ubuntuforums.org and LinuxQuestions.org. While the former doesn't remember me once I restart my computer, the latter does! I know this is something similar to 'keep me signed in unless I sign out' in Yahoo!.

But I am sort of curious to know how this is achieved!

Could anyone help me in understanding this?
 
Old 03-29-2009, 04:12 PM   #2
Robhogg
Member
 
Registered: Sep 2004
Location: Old York, North Yorks.
Distribution: Debian 7 (mainly)
Posts: 653

Rep: Reputation: 85
It is done via a cookie (or actually several). These are small text files stored on your PC, that contain data used by websites. As well as their text content - which might be a userid, or hashed (encrypted) password - they also have an expiry date. Assuming you haven't set any other preferences in your browser, this expiry date can either be at the end of the session, or a particular date.

If you are using Firefox, you can view your cookies by selecting Edit > Preferences > Privacy, and clicking "show cookies". You should find an entry in the list for linuxquestions.org - expand this, and take a look.

I have (among others):
  • bbpassword - contains my hashed password - expires 26/07/2009
  • bbuserid - contains a numeric id (not my username) - expires 26/07/2009
  • bbsessionhash - contains my current sessionid - expires at end of session

Cookies can be helpful, but there are also privacy issues (for instance, marketing companies can use "tracker cookies" to monitor your web activity). Firefox allows you to block cookies from particular domains (I have it ask me for each cookie, and block all from *.2o7.net, *.doubleclick.net, etc) or to set cookies to expire at the end of the session, whatever the expiry date.

See HowStuffWorks for more.

Rob

Last edited by Robhogg; 03-29-2009 at 04:54 PM. Reason: Compliance with English 1.0
 
Old 03-29-2009, 04:27 PM   #3
esm_menc
Member
 
Registered: Apr 2006
Location: washington
Distribution: boat loads in my library:LFS3.1/dsl/puppy/tinycore
Posts: 31

Rep: Reputation: 16
also your login info as he said (robhogg)since being stored in a cookie is only on the pc you logged in with, so it wont be there when you try to log in with another computer...plus your browser must support it as some do not.
 
Old 03-29-2009, 04:55 PM   #4
senthilmuthiah
Member
 
Registered: Mar 2009
Distribution: Ubuntu, Fedora
Posts: 56

Original Poster
Rep: Reputation: 16
Thank you very much Robhogg and esm_menc. Those were great explanations.
 
Old 04-02-2009, 06:12 PM   #5
senthilmuthiah
Member
 
Registered: Mar 2009
Distribution: Ubuntu, Fedora
Posts: 56

Original Poster
Rep: Reputation: 16
Wink

Hi Robhogg and esm_menc,

I had another question on this issue, while I was sitting in a Biophysics class. [I find a lot of similarity between how we guys code and how DNA replication in our body is carefully, proofread :P ]

Given that our cookies are stored as small data files in our computer, can't we hack somebody's password by finding these data files? Obviously this can't be that easy else no one would want them.

Can you enlighten us more ?
 
Old 04-03-2009, 08:20 PM   #6
Robhogg
Member
 
Registered: Sep 2004
Location: Old York, North Yorks.
Distribution: Debian 7 (mainly)
Posts: 653

Rep: Reputation: 85
Quote:
Originally Posted by senthilmuthiah View Post
Given that our cookies are stored as small data files in our computer, can't we hack somebody's password by finding these data files? Obviously this can't be that easy else no one would want them.
Not easy, in fact it's hard! The password is hashed using a cryptographic function. Although not unbreakable, if a good-enough algorithm is used there's no way of cracking it beyond brute-force. It is possible to find "collisions" where more than one "plaintext" hashes to the same value, and with some functions this has become too easy to be really secure. The LQ password hash is 32 hex characters, 128 bits (so possibly is MD5).

Of course for a site like LQ which allows you to stay fully logged in, often there would be no need to crack the password - just get at my PC, and you will be able to post as me (though would need the password to change some details). Sites where more is at stake should certainly not be storing passwords on the PC, encrypted or not. I have far fewer cookies stored from Amazon or my bank than from LQ, and none of them look like a password.

There will be utilities on your system to calculate these hashes, if you want to experiment with them:
Code:
rob:~$ echo password | sha1sum
c8fed00eb2e87f1cee8e90ebbe870c190ac3848c  -
rob:~$ echo password | md5sum
286755fad04869ca523320acce0dc6a4

Last edited by Robhogg; 04-03-2009 at 08:39 PM. Reason: Example
 
  


Reply

Tags
automatic, login


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
d4x: remember log-in data? jay73 Linux - Software 2 12-26-2008 06:19 AM
ipcop, advproxy, urlfilter won't let me log in to linuxquestions.org trainpic Linux - Networking 2 08-23-2006 11:43 AM


All times are GMT -5. The time now is 06:35 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration