Jump to content

Secure cookies


KubeR

Recommended Posts

Hello,

I wanted to ask if cookies are editable and if they are trustable to be secured well enough to store sensetive data.

As far as I know some websites are using cookies to store sensitive data such as passwords.

 

 

Greetings,

KubeR.

Link to comment
Share on other sites

Cookies are editable so they're not inherently safe, but you can make them safer if you store the data encrypted (as in a real encryption that can only happen and be decrypted on your server using cryptographically secure algorithms and keys and all that). Which is a hassle.

 

If you see a site storing your password in a cookie then you should stop using that site because they're doing something really insecure.

Link to comment
Share on other sites

  • 2 weeks later...

Sorry for the long delay,I was pretty busy with studying and stuff.

Anyhow,is it apply's to session(s) as well ?

I mean,are they also editable ?

 

And about the crypting,how can I make sure that the crypt is safe enough ?

and is crypt can be a solution to everything that requires an encryption ?

And the most important,does it has collisions ?

 

Sorry if I ask too much and I apperciate the time you dedicate to answer,I am just very curious and want to know things before I make any move in order to prevent future problems or mistakes.

Link to comment
Share on other sites

Instead of storing passwords anywhere client side for client identification, one approach is to create a unique code (temp generated password) each time a user logs in. Store it in the users table, set it in cookie or session and match against that instead. On logout, clear it. Even better, update it on sertain pageload intervals to prevent it from being static and match it against a timestamp when last generated.

Password should never be pulled out of table, only matched at the point of login.

Edited by alpine
Link to comment
Share on other sites

Instead of storing passwords anywhere client side for client identification, one approach is to create a unique code (temp generated password) each time a user logs in. Store it in the users table, set it in cookie or session and match against that instead. On logout, clear it. Even better, update it on sertain pageload intervals to prevent it from being static and match it against a timestamp when last generated.

Password should never be pulled out of table, only matched at the point of login.

Well,actually I didn't want to store passwords in cookies,but - as you said,indentification of the user.

I guess you cleared the mess of this part,however,I am still curious about the crypt :

And about the crypting,how can I make sure that the crypt is safe enough ?

and is crypt can be a solution to everything that requires an encryption ?

And the most important,does it has collisions ?

Because I want to keep the users data as safe as possible.
Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.