Member Avatar for brechtjah

Hi
So... I've been reading up a little bit about cookies and security. Only to find that you should encrypt the data in them and that they can be hacked by using javascript code.
Is this really the only way to hack/steal cookies? In my quest to create a safe login system I would use cookies for storing a token (encrypted), because unlike sessions, one cannot "ride" the session with the ID. You would have to hack/steal the cookie and duplicate it.
So basically I want to know if all I have to protect my cookies from is XSS, by filtering the URI input.

Thanks :)

  • 2 Contributors
  • 1 Reply
  • 122 Views
  • 8 Hours Discussion Span
  • Latest Post Latest Post by blocblue
Member Avatar for blocblue

Not entirely related to your question, but when writing my login script, I record the IP address from which a user accesses their account when they chose to be remembered (i.e. use a cookie). Then, you verify that not only does the encrypted key match what you have stored for them, but so does the IP address from which they're accessing your site.

Obvious, I realise, but thought I'd mention it in case you hadn't thought to do this too.

R.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.