Beefy Boxes and Bandwidth Generously Provided by pair Networks
Don't ask to ask, just ask

Answer: Cookie based authentication: Is it secure?

by chromatic (Archbishop)
on Aug 28, 2000 at 03:10 UTC ( #29937=categorized answer: print w/replies, xml ) Need Help??

Q&A > CGI programming > Cookie based authentication: Is it secure? - Answer contributed by chromatic

The only thing successfully retrieving a cookie should imply, from a security standpoint, is that, at one time, someone using that particular browser (session, if you're using session cookies) was successfully authenticated. Period.

If I logged in to your site from a public terminal and left the browser open, anyone else could potentially use my cookie.

For some applications, this is enough security. For others, you might save a timestamp of the user's last access and require reauthentication if X minutes/hours/days have passed since the last transaction.

In general, if you don't store too much information in a cookie and if you realize the implications of what I've said above, this is a decent method of saving state.

  • Comment on Answer: Cookie based authentication: Is it secure?
Log In?

What's my password?
Create A New User
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others exploiting the Monastery: (3)
As of 2016-10-22 09:09 GMT
Find Nodes?
    Voting Booth?
    How many different varieties (color, size, etc) of socks do you have in your sock drawer?

    Results (294 votes). Check out past polls.