• Post Reply Bookmark Topic Watch Topic
  • New Topic

Is the HTTPonly cookie secure?  RSS feed

 
Greenhorn
Posts: 9
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I don't know my category JAVA suits my question or not and I don't care actually, What I care is my question.

So if I have a website and I have HTTPonly cookie with the secure flag. Now, What vulnerability can arise here, I mean is it okay if I store the passwords for remember me in the cookies?

Please Gave me your opinions. My opinion is Okay, we can do it. But I want yours?

Thanks for reading.
 
Saloon Keeper
Posts: 8231
144
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Secure HttpOnly cookies can not be accessed by scripts on the client machine, and they are only sent when the https protocol is used. This means that if the user uses a browser that supports these headers, it's not possible to see the contents of the cookie in a script, or while the cookie is in transit to the server. However, the server can still do stupid stuff with the cookie. One of those stupid things is storing passwords. NEVER STORE PASSWORDS. If you want to remember a user for the duration of the session, simply put something that identifies them in the session after you've authenticated them. The basic flow is like this:

Check if session contains a user identification. If so, the user is already authenticated. If not, authenticate the user with username/password, or other authentication mechanism. Store the user identification in the session.
 
utkarsh agrawal
Greenhorn
Posts: 9
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
So what I understand of your saying is that "Servers can store the cookie to identify the users. If the passwords also in the cookie then they also stored as a cookie".
 
Stephan van Hulst
Saloon Keeper
Posts: 8231
144
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Servers never store cookies. Cookies are stored on the client. You store a user ID in the session (NOT a cookie) to indicate that a user is logged in. A session cookie containing the session ID is sent to the client and stored there, so the server knows which session belongs to a request. This cookie needs to be secure and httponly, to prevent session hijacking. All other information can be stored in a session on the server, unless you have non-sensitive information that you want to store client-side. Even in the case of non-sensitive information, you might want to put them in httponly cookies to prevent the client from editing that information.
 
Stephan van Hulst
Saloon Keeper
Posts: 8231
144
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
And I don't know where you get that password bit from. Passwords never go into cookies, or sessions, or databases, or anywhere. You send a password in the body of a request, and then the server hashes it and compares the hash against a previous hash of the password that's stored in the database. You need to do this with an algorithm like bcrypt or PBKDF2. NEVER STORE PASSWORDS.
 
Create symphonies in seed and soil. For this tiny ad:
The WEB SERVICES and JAX-RS Course
https://coderanch.com/t/690789/WEB-SERVICES-JAX-RS
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!