I would like to know if is there a secure issue id I set the _id of my user in cookie to identify users or it will be better to set a cookie username and an otherone encode pwd
thanks
Share
Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I would like to know if is there a secure issue id I set the _id of my user in cookie to identify users or it will be better to set a cookie username and an otherone encode pwd
thanks
Yes, that is absolutely a security risk — it means that, if a user can discover the
_idof another user (e.g, if you accidentally display it somewhere), they can log in as that user. Worse yet, the_idcannot be changed after the fact, so there’s no way to force another session to remotely log out, or to recover from a stolen cookie.Use sessions for login, not user-specific data.