Kirk Ouimet
Reputation: 28374
Do I need to sign/encrypt cookies if I am using SSL?
If I am serving all of my web content over SSL, do I need to do another layer of encryption and sign my cookie data?
Upvotes: 0
Views: 59
Answers (1)
Jonathon Reinhart
Reputation: 137487
SSL/TLS only offers protection against communications being intercepted and/or modified. It guarantees nothing about text files sitting on a client's hard drive (i.e. cookies).
If you want to prevent a user from presenting your web application with falsified cookie information, then yes, you need to sign your cookie data. If you want to prevent a user from seeing the cookie data, then you should encrypt it as well.
Upvotes: 2
Related Questions
- do I have to use https when relying on cookies or tokens
- Do signed cookies increase security if entire site is served over ssl?
- Do we need to secure the cookie .ASPXANONYMOUS
- Is cookie in https secure?
- Should non-secure cookies be sent over HTTPS?
- Cookie security when passed over SSL
- Should I encrypt non-authentication cookies (i.e those that solely enhance the user experience)?
- Is a cookie secure in a HTTPS connection?
- Does SSL also encrypt cookies?
- how SSL & cookies work?