Logic behind protecting cookies and sessions variables

Posted on 2011-04-30
Medium Priority
Last Modified: 2012-05-11
Hey guys and gals,
I currently build in ASP but I am starting to dabble in PHP.  Please treat my question as a general question, you can give code examples if you want, but not necessary.

Here is the situation/question:
I was looking through my cookies the other day (in Firefox) and I was appalled to see that I had created a cookie in clear text of my username and password for a service I created.  I realize now that creating a "remember me" option for a username/password doesn't mean I should save their username and password in a cookie.....

First question:
How should a "remember me" option work on the web?

Second question:
How do I store cookies/sessions without the text being readable?

Question by:Slim81
LVL 84

Accepted Solution

Dave Baldwin earned 1000 total points
ID: 35499365
LVL 65

Assisted Solution

btan earned 1000 total points
ID: 35499508
This one site that will help you in session mgmt.

@ https://www.owasp.org/index.php/Session_Management

If Cookies are used to store and transmit session identifiers over HTTPS they should be marked as 'Secure' so that they are not served over non-SSL tunnels. Provide an explicit way for users to log out of the application and ensure that this log out routine explicitly expires and destroys the session.

@ https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet

Persistent login cookies are the cookies that are stored with your browser when you click the “remember me” button on the login form. For example, when a user selects "remember me" on a site such as Yahoo, the behavior of an active session doesn't change at all. Having a cookie that can actually be used to authenticate a user is riskier - it is a "log me in automatically each time I visit". The usability need to be balance with the vulnerability exposed as you highlighted clear credential will entice attacker to come forward to grab them and possible do more harm than the identity theft (at least they do not need to plant keylogger, making their work easier)

@ http://fishbowl.pastiche.org/2004/01/19/persistent_login_cookie_best_practice/

Author Closing Comment

ID: 35507320
Thanks guys!

Featured Post

Prep for the ITIL® Foundation Certification Exam

December’s Course of the Month is now available! Enroll to learn ITIL® Foundation best practices for delivering IT services effectively and efficiently.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Experts Exchange expands question security options for members.
Securing your business data in current era should be your biggest priority. Numerous people are unaware of the fact that insiders commit more than 60 percent of security breaches. You need to figure out the underlying cause and invoke your potential…
Want to learn how to record your desktop screen without having to use an outside camera. Click on this video and learn how to use the cool google extension called "Screencastify"! Step 1: Open a new google tab Step 2: Go to the left hand upper corn…
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…
Suggested Courses

807 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question