|Think about Loose Coupling|
Re: Hiding cookies from usersby simon.proctor (Vicar)
|on Jul 05, 2006 at 14:59 UTC||Need Help??|
Update:Added page number in owasp section at bottom
You shouldn't be passing an encrypted password to subsequent pages. All you should be storing, if anything, is a session identifier. You can store this in the url, a hidden field in a form (.NET for example), a query string or a cookie. You can encrypt it too if you like ;).
All your pertinient info can then be stored/accessible to your web server in some form . It might be an encrypted record in a session file or record in a db (or whatever). Though of course, you then need to plan how these records expire, what happens if someone were to gain access to them (etc).
Using any kind of session variable/identifier has its positives and negatives. Cutting and pasting that identifier, for example, may allow someone else to hijack a session. However, at least that session identifier does not contain any information and it doesn't matter if it is stored on disk (etc). It also means you are free up to store larger amounts of info without worring about the size or number of cookies you set.
As an aside, this is more a question of web security. With this in mind, I really do recommend you read up on this via the Open Web Aapplication Security community site. They have a set of PDF guides PDF for distribution that are worth reading. The download page is here.
Just some thoughts ;).
Update: page 157 in the current draft covers sessions and best practise. Check it out!