I’m designing a very secure login mechanism using play framework2. Since Play does not have a notion of sessions and keep things in the cookies (which I like) I was wondering what are the security measures I need to think about. We obviously going to use SSL to communicate the login credentials and also the cookie is going to be encrypted value of some of user’s information like their email or userid. Is it possible that someone can sniff that cookie or get a hold of it from another user’s cookie and reuse it? how can i make this more secure?
I’m designing a very secure login mechanism using play framework2. Since Play does not
Share
In fact the cookie isn’t encrypted. It is signed. This signature comes from the application.secret in your application.conf.
It means that anyone can see the content of the cookie (and eventually try to spoof other sessions or change their login/id/token…)
From Play documentation :
I am not a security guru, but, if you keep your application secret secret, it seams enough to me.
Discussion about the strength of the signature are welcome !