I am creating a log in system and have a "remember me" chcekbox. Right now I am creating username SESSION variable when ever a user logs on and creating both the username SESSION variable and a password COOKIE variables when this box is checked

So protected pages will check for the presence of these variables on a cold visit. If they exist, they will use them to check the DB and log the user in if all is correct

Something is telling me its a bad idea to set a cookie with a users password in it but I am not finding any info out there that tells me not to.

Anyone care to comment?

Thanks,
billy

    It is EXTREMELLY INSECURE to store passwords in cookie files. EXTREMELLY. i.e.: DO NOT DO IT :-)

    Cookies are easily viewable by anyone using the computer... consider a public computer where 50 people logged in... one person comes and looks at the cookies.... ooooh 50 passwords... :-)

      Thats all the info I needed. Thanks superwormy!!

        you can store passwords in cookies but in encrypted format.this way even some one peeks into these cookies, they cant find the password string.

          And it should be noted then, that md5() is NOT encryption, its one way hashing, adn its not secure to store md5() passwords in cookies either.

          A better idea might be to just store a unique sessionID or something in the cookie, and check that against the database.

            Originally posted by ramkumar_unknow
            you can store passwords in cookies but in encrypted format.this way even some one peeks into these cookies, they cant find the password string.

            Doesn't matter: they can just take the cookie.

              Not to mention there is also a bug in IE that you can get cookies from other sites when they visit yours.

                Originally posted by hessian
                Not to mention there is also a bug in IE that you can get cookies from other sites when they visit yours.

                are you talking remotly or local.. heh.. anyways.. you can also as well use proxomitron to retrive cookies from others.. includeing

                refer
                cookie info ( even if its encrypted in mime )
                IP ( if static heh then call your isp to change it )

                else.. my recomendations is.. dont same the passwd in the cookie.. not even to a file.. save it in the db encrypted and then your set.. and safe =)

                  you could always just store user ID and the class B part of their IP in a cookie then do a check for both. if their class B changes then they have to resubmit their info, big deal. its very reare unless they change ISPs. this is what i'm doing on my site, but then it's just for fun and there's no stuff being sold.

                  my $0.02 (CND)
                  moon

                    Write a Reply...