SitePoint Sponsor

User Tag List

Results 1 to 8 of 8
  1. #1
    SitePoint Member
    Join Date
    May 2006
    Posts
    20
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Question Storing Passwords in Cookies

    Obviously you should never store passwords in cookies in clear text in order to remember users so that they can automatically login to a site. However, even if you encrypt a user's password, or use some random token, couldn't someone with access to a machine copy and use that cookie on another machine to login as that user? Pardon my ignorance if I'm missing something obvious, but isn't this a distinct possibility? Is that why financial institutions and other sites that deal with money don't allow you to store your password?

  2. #2
    Utopia, Inc. silver trophy
    ScallioXTX's Avatar
    Join Date
    Aug 2008
    Location
    The Netherlands
    Posts
    9,094
    Mentioned
    153 Post(s)
    Tagged
    2 Thread(s)
    You're completely right.

    Whatever people say, never store a password, or the hash of a password, or whatever in a cookie.

    See Session hijacking

    And yes, I would suppose that is why banks etc don't let you store your password. Suppose it would store my password, and someone logs in to my banking account on my computer (or steals my computer and then logs in) and transfers all my money to himself ...
    Just makes it too easy for people who are up to no good
    Rémon - Hosting Advisor

    SitePoint forums will switch to Discourse soon! Make sure you're ready for it!

    Minimal Bookmarks Tree
    My Google Chrome extension: browsing bookmarks made easy

  3. #3
    SitePoint Member
    Join Date
    May 2006
    Posts
    20
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I thought so, thanks for the confirmation. I searched around and found a great article at http://jaspan.com/improved_persisten..._best_practice which discusses this very issue. The author seems to have a solid solution although I haven't yet read through all of the comments to see if anyone managed to shoot holes in his plan. Thanks.

  4. #4
    Programming Since 1978 silver trophybronze trophy felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, NSW, Australia
    Posts
    16,861
    Mentioned
    25 Post(s)
    Tagged
    1 Thread(s)
    Quote Originally Posted by ScallioXTX View Post
    And yes, I would suppose that is why banks etc don't let you store your password.
    The banks can't stop you storing your password - most browsers these days have a save password option built right into the browser that doesn't rely on cookies to save the passwords. The browsers usually also offer a master password setup where the stored passwords can only be used if you enter the master password before using the first one - that prevents someone else using the passwords since they don't know the master password.

    Since all decent browsers offer to save passwords for you with appropriate security within the browser there is no point in setting up a less secure option of your own using cookies.
    Stephen J Chapman

    javascriptexample.net, Book Reviews, follow me on Twitter
    HTML Help, CSS Help, JavaScript Help, PHP/mySQL Help, blog
    <input name="html5" type="text" required pattern="^$">

  5. #5
    Utopia, Inc. silver trophy
    ScallioXTX's Avatar
    Join Date
    Aug 2008
    Location
    The Netherlands
    Posts
    9,094
    Mentioned
    153 Post(s)
    Tagged
    2 Thread(s)
    Quote Originally Posted by felgall View Post
    The banks can't stop you storing your password - most browsers these days have a save password option built right into the browser that doesn't rely on cookies to save the passwords. The browsers usually also offer a master password setup where the stored passwords can only be used if you enter the master password before using the first one - that prevents someone else using the passwords since they don't know the master password.

    Since all decent browsers offer to save passwords for you with appropriate security within the browser there is no point in setting up a less secure option of your own using cookies.
    Doesn't autocomplete="false" on username/password fields tell the browser not to store the username password?
    If so, I think banks should use this.

    PS. My bank doesn't use a password, but a device that generates tokens, so I don't really know how websites of banks that use passwords work. Although I my opinion they should do all they can to prevent the browser from storing passwords!
    Rémon - Hosting Advisor

    SitePoint forums will switch to Discourse soon! Make sure you're ready for it!

    Minimal Bookmarks Tree
    My Google Chrome extension: browsing bookmarks made easy

  6. #6
    SitePoint Member
    Join Date
    May 2006
    Posts
    20
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Right, the save password browser option is very different and I don't want to get off topic but thanks for your insight. I just wanted to confirm that even if an encrypted password, or some random token is stored with a username in a cookie, that it would be possible to intercept, or if someone had access to the computer, copy the cookie, and use it on another machine to gain access to an account. Apparently, this is very possible.

  7. #7
    SitePoint Wizard
    Join Date
    Mar 2008
    Posts
    1,149
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by felgall View Post
    Since all decent browsers offer to save passwords for you with appropriate security within the browser there is no point in setting up a less secure option of your own using cookies.
    I disagree with this. Given all the sites I visit with logins, having to login to each one every time I start up my browser would be quite painful. On some sites, I have more than one login, and having to switch between logins in Firefox and Chrome is even more painful.

  8. #8
    ¬.¬ shoooo... silver trophy logic_earth's Avatar
    Join Date
    Oct 2005
    Location
    CA
    Posts
    9,013
    Mentioned
    8 Post(s)
    Tagged
    0 Thread(s)
    Using a simple random token that periodically changes either after a set time, user action, or both. When it comes to viewing sensitive data or altering settings like email ask for credentials as well as update the token.

    Well that is what I would have done.
    Logic without the fatal effects.
    All code snippets are licensed under WTFPL.



Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •