So... I've been reading up a little bit about cookies and security. Only to find that you should encrypt the data in them and that they can be hacked by using javascript code.
Is this really the only way to hack/steal cookies? In my quest to create a safe login system I would use cookies for storing a token (encrypted), because unlike sessions, one cannot "ride" the session with the ID. You would have to hack/steal the cookie and duplicate it.
So basically I want to know if all I have to protect my cookies from is XSS, by filtering the URI input.

Thanks :)

9 Years
Discussion Span
Last Post by blocblue

Not entirely related to your question, but when writing my login script, I record the IP address from which a user accesses their account when they chose to be remembered (i.e. use a cookie). Then, you verify that not only does the encrypted key match what you have stored for them, but so does the IP address from which they're accessing your site.

Obvious, I realise, but thought I'd mention it in case you hadn't thought to do this too.


This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.