• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 463
  • Last Modified:

Logic behind protecting cookies and sessions variables

Hey guys and gals,
I currently build in ASP but I am starting to dabble in PHP.  Please treat my question as a general question, you can give code examples if you want, but not necessary.

Here is the situation/question:
I was looking through my cookies the other day (in Firefox) and I was appalled to see that I had created a cookie in clear text of my username and password for a service I created.  I realize now that creating a "remember me" option for a username/password doesn't mean I should save their username and password in a cookie.....

First question:
How should a "remember me" option work on the web?

Second question:
How do I store cookies/sessions without the text being readable?

Thanks,
Slim
0
Slim81
Asked:
Slim81
2 Solutions
 
Dave BaldwinFixer of ProblemsCommented:
0
 
btanExec ConsultantCommented:
This one site that will help you in session mgmt.

@ https://www.owasp.org/index.php/Session_Management

If Cookies are used to store and transmit session identifiers over HTTPS they should be marked as 'Secure' so that they are not served over non-SSL tunnels. Provide an explicit way for users to log out of the application and ensure that this log out routine explicitly expires and destroys the session.

@ https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet

Persistent login cookies are the cookies that are stored with your browser when you click the “remember me” button on the login form. For example, when a user selects "remember me" on a site such as Yahoo, the behavior of an active session doesn't change at all. Having a cookie that can actually be used to authenticate a user is riskier - it is a "log me in automatically each time I visit". The usability need to be balance with the vulnerability exposed as you highlighted clear credential will entice attacker to come forward to grab them and possible do more harm than the identity theft (at least they do not need to plant keylogger, making their work easier)

@ http://fishbowl.pastiche.org/2004/01/19/persistent_login_cookie_best_practice/
0
 
Slim81Author Commented:
Thanks guys!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Managing Security & Risk at the Speed of Business

Gartner Research VP, Neil McDonald & AlgoSec CTO, Prof. Avishai Wool, discuss the business-driven approach to automated security policy management, its benefits and how to align security policy management with business processes to address today's security challenges.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now