KubeR Posted October 26, 2013 Share Posted October 26, 2013 Hello, I wanted to ask if cookies are editable and if they are trustable to be secured well enough to store sensetive data. As far as I know some websites are using cookies to store sensitive data such as passwords. Greetings, KubeR. Quote Link to comment Share on other sites More sharing options...
requinix Posted October 26, 2013 Share Posted October 26, 2013 Cookies are editable so they're not inherently safe, but you can make them safer if you store the data encrypted (as in a real encryption that can only happen and be decrypted on your server using cryptographically secure algorithms and keys and all that). Which is a hassle. If you see a site storing your password in a cookie then you should stop using that site because they're doing something really insecure. Quote Link to comment Share on other sites More sharing options...
Irate Posted October 26, 2013 Share Posted October 26, 2013 Rule of thumb, never trust anything that comes from the client side, you never know if it has been tampered with. Quote Link to comment Share on other sites More sharing options...
KubeR Posted November 3, 2013 Author Share Posted November 3, 2013 Sorry for the long delay,I was pretty busy with studying and stuff. Anyhow,is it apply's to session(s) as well ? I mean,are they also editable ? And about the crypting,how can I make sure that the crypt is safe enough ? and is crypt can be a solution to everything that requires an encryption ? And the most important,does it has collisions ? Sorry if I ask too much and I apperciate the time you dedicate to answer,I am just very curious and want to know things before I make any move in order to prevent future problems or mistakes. Quote Link to comment Share on other sites More sharing options...
alpine Posted November 3, 2013 Share Posted November 3, 2013 (edited) Instead of storing passwords anywhere client side for client identification, one approach is to create a unique code (temp generated password) each time a user logs in. Store it in the users table, set it in cookie or session and match against that instead. On logout, clear it. Even better, update it on sertain pageload intervals to prevent it from being static and match it against a timestamp when last generated. Password should never be pulled out of table, only matched at the point of login. Edited November 3, 2013 by alpine Quote Link to comment Share on other sites More sharing options...
KubeR Posted November 3, 2013 Author Share Posted November 3, 2013 Instead of storing passwords anywhere client side for client identification, one approach is to create a unique code (temp generated password) each time a user logs in. Store it in the users table, set it in cookie or session and match against that instead. On logout, clear it. Even better, update it on sertain pageload intervals to prevent it from being static and match it against a timestamp when last generated. Password should never be pulled out of table, only matched at the point of login. Well,actually I didn't want to store passwords in cookies,but - as you said,indentification of the user. I guess you cleared the mess of this part,however,I am still curious about the crypt : And about the crypting,how can I make sure that the crypt is safe enough ? and is crypt can be a solution to everything that requires an encryption ? And the most important,does it has collisions ? Because I want to keep the users data as safe as possible. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.