Database usernames and passwords stored in plain text in a cookie

[nodesocket]

Isn't this a security issue? I know obviously it is recommended to only expose genghis locally, or else use web server allow and deny directives, still, ins't there a better way of persisting the database connection details?

Honestly, I would rather have genghis not persist the database details beyond a browser session. I.E. every time the browser is closed, must re-enter server details.

[peterbe]

👍 on having to log in each time instead of using a nasty plain text cookie.

[davidgubler]

This is a serious issue for us. Unless you have full-disk encryption (which we don't have on our Windows machines, unfortunately), a lost laptop automatically means compromised passwords (possibly for production servers), because browsers do not encrypt cookies. E.g. storing the values of password input fields, in contrast, is much safer (they are usually encrypted, even in IE).

It would be great to have a simple, plain, old-fashioned login form to enter passwords (you can still store user names and servers in a cookie). Also, the application should not even give the user the option to store passwords in cookies, otherwise some users will do it anyway and thus compromise the security of your passwords.

[bobthecow]

I'm planning to address this in the next major release (3.0). It's a bit difficult to fully solve, though.

If you're running Genghis locally, storing passwords in your session is just as secure (or unsecure) as storing them in a cookie. If you're running Genghis on a server, you've gotta pass credentials back and forth between the client and the server, and many (most?) people don't set up SSL so that's a much greater risk than someone having physical access to your laptop and cookies.

Best practices probably look something like this:

• Always use full-disk encryption on any computer someone else might possibly have physical access to. If you don't do this, the bad guys probably have complete access to everything anyway.
• Always either (1) run Genghis locally, or (2) run Genghis on a server with SSL (properly) configured.
• If you're running Genghis on a server, configure your server to require authentication of some sort. HTTP basic auth is just fine.

[nodesocket]

I am running Genghis on a server. Agree I can simply enable http basic auth with nginx, but would be nice to have the Genghis app do this via some configuration flags in the config.