Beefy Boxes and Bandwidth Generously Provided by pair Networks
"be consistent"
 
PerlMonks  

Re: Hiding cookies from users

by simon.proctor (Vicar)
on Jul 05, 2006 at 14:59 UTC ( #559356=note: print w/ replies, xml ) Need Help??


in reply to Hiding cookies from users

Update:Added page number in owasp section at bottom

You shouldn't be passing an encrypted password to subsequent pages. All you should be storing, if anything, is a session identifier. You can store this in the url, a hidden field in a form (.NET for example), a query string or a cookie. You can encrypt it too if you like ;).

All your pertinient info can then be stored/accessible to your web server in some form . It might be an encrypted record in a session file or record in a db (or whatever). Though of course, you then need to plan how these records expire, what happens if someone were to gain access to them (etc).

Using any kind of session variable/identifier has its positives and negatives. Cutting and pasting that identifier, for example, may allow someone else to hijack a session. However, at least that session identifier does not contain any information and it doesn't matter if it is stored on disk (etc). It also means you are free up to store larger amounts of info without worring about the size or number of cookies you set.

As an aside, this is more a question of web security. With this in mind, I really do recommend you read up on this via the Open Web Aapplication Security community site. They have a set of PDF guides PDF for distribution that are worth reading. The download page is here.

Just some thoughts ;).

Update: page 157 in the current draft covers sessions and best practise. Check it out!


Comment on Re: Hiding cookies from users
Re^2: Hiding cookies from users
by Anonymous Monk on Jul 05, 2006 at 15:44 UTC

    Thanks for links.

    I will check them out

Reaped: Re^2: Hiding cookies from users
by NodeReaper (Curate) on Jul 05, 2006 at 15:45 UTC

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://559356]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others cooling their heels in the Monastery: (13)
As of 2014-10-21 18:33 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    For retirement, I am banking on:










    Results (106 votes), past polls