Jump to content

Secure cookies

KubeR

By KubeR
in PHP Coding Help

 Share

Recommended Posts

KubeR Member

KubeR

Posted
Posted

Hello,

I wanted to ask if cookies are editable and if they are trustable to be secured well enough to store sensetive data.

As far as I know some websites are using cookies to store sensitive data such as passwords.

 

 

Greetings,

KubeR.

Link to comment
Share on other sites
requinix Prolific Member

requinix

Posted
Posted

Cookies are editable so they're not inherently safe, but you can make them safer if you store the data encrypted (as in a real encryption that can only happen and be decrypted on your server using cryptographically secure algorithms and keys and all that). Which is a hassle.

 

If you see a site storing your password in a cookie then you should stop using that site because they're doing something really insecure.

Link to comment
Share on other sites
  • 2 weeks later...
KubeR Member

KubeR

Posted
  • Author
Posted

Sorry for the long delay,I was pretty busy with studying and stuff.

Anyhow,is it apply's to session(s) as well ?

I mean,are they also editable ?

 

And about the crypting,how can I make sure that the crypt is safe enough ?

and is crypt can be a solution to everything that requires an encryption ?

And the most important,does it has collisions ?

 

Sorry if I ask too much and I apperciate the time you dedicate to answer,I am just very curious and want to know things before I make any move in order to prevent future problems or mistakes.

Link to comment
Share on other sites
alpine Member

alpine

Posted
Posted (edited)

Instead of storing passwords anywhere client side for client identification, one approach is to create a unique code (temp generated password) each time a user logs in. Store it in the users table, set it in cookie or session and match against that instead. On logout, clear it. Even better, update it on sertain pageload intervals to prevent it from being static and match it against a timestamp when last generated.

Password should never be pulled out of table, only matched at the point of login.

Edited by alpine
Link to comment
Share on other sites
KubeR Member

KubeR

Posted
  • Author
Posted

Instead of storing passwords anywhere client side for client identification, one approach is to create a unique code (temp generated password) each time a user logs in. Store it in the users table, set it in cookie or session and match against that instead. On logout, clear it. Even better, update it on sertain pageload intervals to prevent it from being static and match it against a timestamp when last generated.

Password should never be pulled out of table, only matched at the point of login.

Well,actually I didn't want to store passwords in cookies,but - as you said,indentification of the user.

I guess you cleared the mess of this part,however,I am still curious about the crypt :

And about the crypting,how can I make sure that the crypt is safe enough ?

and is crypt can be a solution to everything that requires an encryption ?

And the most important,does it has collisions ?

Because I want to keep the users data as safe as possible.
Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.