Reputation: 630
Is this a secure way to handle cookies?
The scenario is a web app running with no ability to store information locally, such as sessions. So in order to provide state, here's what I'm thinking. The server has a list of users and SHA256(passwords + salt). When a user logs in, I would set a name cookie with the username and a key cookie with SHA256(SHA256(password + salt) . ip).
This would allow the server to compare the credentials without knowing the plain text password, it wouldn't expose the password in the client's cookie, and would safeguard the logged in credentials against being ex-filtrated into an attacker's system since it would only work on that one IP address.
The only drawback I can see is that there would be no way to enforce expiry. So it would basically be a lifetime cookie for that user/password/IP combination, or at least until the web app erases the cookie or the user changes his password.
Upvotes: 1
Views: 40
Answers (1)
Reputation: 1312
you must not use password anywhere in cookie even if it is encrypted.
give every user an id and on every login you must:
1. Update login Time
2. Create unique session Id
3. set cookie with unique session id
now on every request to server
1. validate session cookie
2. Check login time and current server time.
it is just basic structure..
Upvotes: 1
Related Questions
- Security Concerns regarding session cookies
- Using this login secure with cookies?
- Best way To handle a Cookie
- Is my authentication approach secure / need for improvement?
- security for cookies
- New to PHP logins and sessions; Is this safe enough?
- Is this login system secure enough?
- Would this cookie system be secure for storeing passwords?
- will this work as an alternative to http cookie?
- Securing Cookie Based Authentication