Logic behind protecting cookies and sessions variables

Posted on 2011-04-30
Last Modified: 2012-05-11
Hey guys and gals,
I currently build in ASP but I am starting to dabble in PHP.  Please treat my question as a general question, you can give code examples if you want, but not necessary.

Here is the situation/question:
I was looking through my cookies the other day (in Firefox) and I was appalled to see that I had created a cookie in clear text of my username and password for a service I created.  I realize now that creating a "remember me" option for a username/password doesn't mean I should save their username and password in a cookie.....

First question:
How should a "remember me" option work on the web?

Second question:
How do I store cookies/sessions without the text being readable?

Question by:Slim81
    LVL 82

    Accepted Solution

    LVL 60

    Assisted Solution

    This one site that will help you in session mgmt.


    If Cookies are used to store and transmit session identifiers over HTTPS they should be marked as 'Secure' so that they are not served over non-SSL tunnels. Provide an explicit way for users to log out of the application and ensure that this log out routine explicitly expires and destroys the session.


    Persistent login cookies are the cookies that are stored with your browser when you click the “remember me” button on the login form. For example, when a user selects "remember me" on a site such as Yahoo, the behavior of an active session doesn't change at all. Having a cookie that can actually be used to authenticate a user is riskier - it is a "log me in automatically each time I visit". The usability need to be balance with the vulnerability exposed as you highlighted clear credential will entice attacker to come forward to grab them and possible do more harm than the identity theft (at least they do not need to plant keylogger, making their work easier)

    LVL 4

    Author Closing Comment

    Thanks guys!

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    IT, Stop Being Called Into Every Meeting

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
    If you get continual lockouts after changing your Active Directory password, there are several possible reasons.  Two of the most common are using other devices to access your email and stored passwords in the credential manager of windows.
    Google currently has a new report that is in beta and coming soon to Webmaster Tool accounts. This Micro Tutorial will highlight new features for Google Webmaster Tools.
    This Micro Tutorial will demonstrate how to add subdomains to your content reports. This can be very importing in having a site with multiple subdomains.

    779 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now