I'm extremely surprised that people keep inventing javascripts and applets for ports' run-through at the time when everything that hacker needs is transmitted openly

They seem to be likely to make it convenient for customers. But it is nonsense
Generally no one knows what can be done with servers of some 'leading' providers working with freeware...
This freeware seems to be of mass usage and it is connected with money. But each server has got a postal system of its own.

Something similar is discussed on the forum. I’ve suggested a method of my own there. Here are two cookies. One of them contains login and another one contains hash from the time of page loading, password hash and letter ‘Z’. Program enters the base, takes entry with such login, composes a hash and compares it with the one got from cookie.

Oops! IP isn’t checked!!! It is written on hackzone that javascript can extract cookie. And this means it can be transmitted to a hacker. Sure, IP-verification should be added 

And I have automatized breaking    But I don’t claim to have fame of its discoverer.

Last edited by n00bphp (March 23, 2007 8:48 am)

The thing is that a user is deprived of his mail-box within some seconds from that moment when he applies to a ‘photo’ or clicks a link.

We are not speaking about Bat.
It's better to save session IDs in cookies - the users are rather to switch them on then complain about breaking afterwards. Otherwise you aren't protected - anyone may enter and take anything he wants.

detail> javascript can extract cookie as well.
How is it possible?! As I understand the theory cookies are submitted to that host only from which they have been recorded i.e. if there is request http://main/index.php in which setcookie ('name', 'value'), the user’s browser will send this cookie when applying to index.php But if I insert an image from another host (for instance, http://hacker/image.gif) within index.php, the browser won’t send my cookie with request as far as it is the other host. Well, if you try to replace image.gif with javascript, you won’t succeed as well. It simply won’t be handled as far as the browser expects to get an image on img-tag not text. And how is it possible at all for javascript to extract cookie from other host? I’ve lost inside my guesses…Where is the hole? 

And what if I have proxy and local hidden behind it? In such a case one IP identifies a lot of people. It seems to be likely to let the first one through but as to the second one… 

Take a program like Proxomitron and view what comes outside. Look up the PHP-manual to find out how to post the same.