Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
Experts,
We want a more secure login system for our future projects, rather than using session states to tell if the user is logged in or not. If my understanding is correct, once a user is authenticated via forms authentication, a cookie is generated on the users machine. How secure is that? Is the cookie susceptible to a form of hijacking similar to session hijacking? What if the user doesn’t accept cookies? Is there a better method I should take a look at?
Thanks in advance.
The short answer is it’s as safe as you make it. Most form based authentication systems use cookies to maintain a session with the end-users, but you could use other techniques if you choose to do so.
For cookie based authentication you need to create some kind of token that identifies the authenticated user. This token needs to be something that cannot be easily guessed. This token can be passed in a cookie or stored in a session, in which case a session cookie is stored on the clients machine and the authentication token is access only on the server-side of the connection. If you don’t want the cookie to be captured by an ease-dropper then you can make the cookie Secure and HttpOnly, the former only gets sent over HTTPS, and the latter makes the cookie inaccessible from JavaScript.
If the end-user does not accept cookies then the session id is usually put in the URL which is not safe.
Take a look at this link Session Fixation