Cookies

Expand Post »

Hi
So... I've been reading up a little bit about cookies and security. Only to find that you should encrypt the data in them and that they can be hacked by using javascript code.
Is this really the only way to hack/steal cookies? In my quest to create a safe login system I would use cookies for storing a token (encrypted), because unlike sessions, one cannot "ride" the session with the ID. You would have to hack/steal the cookie and duplicate it.
So basically I want to know if all I have to protect my cookies from is XSS, by filtering the URI input.

Thanks

Similar Threads

Netscape 7.1, Hotmail login problem - cookies 'disabled" in Windows NT / 2000 / XP
Where do Cookies come from? in Web Browsers
how can i used session and cookies ??? in PHP
Help me trouble with saving cookies win xp in Windows NT / 2000 / XP
Troubles with cookies win. xp in Windows NT / 2000 / XP

brechtjah

Reputation Points: 26

Solved Threads: 9

Junior Poster in Training

Offline

92 posts
since Nov 2008

Permalink

May 1st, 2009

Re: Cookies

Not entirely related to your question, but when writing my login script, I record the IP address from which a user accesses their account when they chose to be remembered (i.e. use a cookie). Then, you verify that not only does the encrypted key match what you have stored for them, but so does the IP address from which they're accessing your site.

Obvious, I realise, but thought I'd mention it in case you hadn't thought to do this too.

R.

blocblue

Reputation Points: 101

Solved Threads: 74

Posting Pro in Training

Offline

427 posts
since Jan 2008

This thread is more than three months old

No one has posted to this discussion for at least three months. Please let old threads die and do not reply to them unless you feel you have something new and valuable to contribute that absolutely must be added to make the discussion complete. Otherwise, please start a new thread in this forum instead.

Previous Thread in PHP Forum Timeline: html to pdf conversion problem

Next Thread in PHP Forum Timeline: form name and loop

DaniWeb Message

Cancel Changes

User Name
Password