Reputation: 5784
security for cookies
If I sign-up to a website and the website sends me a cookie with and ID with which it can identify me, can somebody else impersonate me if they get hold of this cookie?
If somebody else knows the format of the cookie and guesses the ID can they impersonate me this way?
Also, any material where these things are discussed is appreciated.
Upvotes: 0
Views: 113
Answers (1)
Reputation: 17451
The answer to both questions is a qualified "yes". But, both impersonations can be made very difficult. Things that make it difficult to steal a session Id from a cookie:
Using https. All communications between you and the server are encrypted and very difficult to hack.
If the server is using PHP sessions, the ID in the cookie is lengthy and difficult to guess.
Even without these, to intercept a cookie is difficult since the perpetrator must make his/her computer listen for transmissions to/from your IP address or the server IP.
Best security is long IDs (a la PHP sessions) combined with usage of https.
If you're developing, here's some good info: http://thinkvitamin.com/code/how-to-create-totally-secure-cookies/
Upvotes: 2
Related Questions
- Exists a way to prevent cookies from getting stolen?
- How can i secure cookie in php?
- Secure Cookies?
- Is this a secure way to handle cookies?
- Cookie :: Need suggestion regarding Cookies
- Cookie security php
- Security when using php cookies
- cookies system - security
- PHP login cookies security
- Securing Cookie Based Authentication