Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I’m writing a database authentication system for my web application which is wrriten in ASP.NET MVC. When someone authorize, it should save his username in cookies. Is it safe to just use HttpResponse.Cookies` for saving a cookie that its value is username? Wouldn’t it forgeable?
Saving only the username… Is it the right and safe way? Or should I save the whole User object (if this actually possible)?
Thank you and sorry for my English.
No, saving the username is very insecure, because it can be easily faked. Here are my guidelines:
Tokens can be generated by a CSPRNG to ensure that the auto-login cookie can not be faked.
Hashing the tokens in the database prevents user account stealing in the case that you database is compromised. (Remember, the token at this point is a password-equivalent.)
HTTP-Only cookies prevent XSS attacks that could potentially steal the cookie.