david wong

Hey ! I'm David, a security consultant at Cryptography Services, the crypto team of NCC Group . This is my blog about cryptography and security and other related topics that I find interesting.

Storing plain passwords in cookies December 2013

I've always stored plain passwords in cookies. And today I decided to educate myself about cookies a bit. Well, I was expecting that : you should not store plain passwords in cookies.

Basically, if your computer gets compromised, everyone can read what's in your cookies. So you'd better not store important information that are not encrypted.

What is the work around ? Storing a token + his identification. When someone logs in, I create a random token and store it in the database under its name.

Next time the guy comes around, I see that he has a token, I check if its identification coincides with the token, if it does I log the guy in.

I've seen hardcore implementations where the token (in the database, and in the guy's cookies) is refreshed on every page. I find that a bit troublesome as the cookie expires after 5 days (in my implementation) so it's no big risks.

I could also have put a timestamp forbidding anyone to log in with that token after 5 days. But I feel like it would be over protecting.

Well done! You've reached the end of my post. Now you can leave me a comment :)