发表新帖
发表新帖

Securing Cookie Based Authentication

前端 未结
关注
4 1032
面向向阳花
面向向阳花 2020-12-24 03:37

I am currently re factoring one of my web applications and I was hoping for some advice on improving my security.

I\'ll note that the application is in ASP.net and t

4条回答
  • 忘掉有多难
    忘掉有多难 (楼主)
    2020-12-24 04:03

    The best way is to store a session ID as the cookie value.

    Whenever user logs in, you create a record in database or some other session store with a random session ID. Put the ID in a cookie. When you see the cookie later, you can retrieve all user information from database.

    This approach has following advantages,

    1. It's very secure. Session ID is simply a random number. You don't have to worry about compromised key or salt.
    2. The cookie can be easily revoked from server. All you have to do is to remove the session record and that renders the ID useless.
    3. The cookie value can be really short.

    If this doesn't work for you, try encryption. Hash would be my last choice. Hash itself is useless. You have to store user id and other information in a different cookie in clear. You ended up expose user information.

    0 讨论(0)
 看不清?
提交回复
热议问题