I am not sure if I should post this on it security or / stackoverflow because I am concerned about security and performance.
I am trying to find a reliable source for cookie management. I read though OWASP so i roughly know what can be dangerous.
But I need to authenticate my users with cookies. Is there a complete step by step guide?
What I did:
generate a random and unique string.
associate the random string with a user in my cache rndstring -> user
create a secure and signed cookie. value= hash(rndstring+secret)|rndstring
if the user comes back, I check if the hashes matches, and if the rndstring is in my cache.
if yes get the user.
I think my approach is flawed because I made it by myself.
Another problem would be that I safe the user object from the db in my cache. If the user updates his profile I would also have to update the cache.
I am using java with the play2 framework + mongoDB.
What resources can you recommend me?
A Cookie Consent Manager is a solution that manages a website's process of collecting and storing a user's consent for the collection of their data through cookies. Cookie consent is not only necessary for transparency and best practices but depending on local regulations, it might be required.
They enable you to use the main functions of our site. Without these Cookies, you will not be able to use our site correctly. These are Cookies which only concern the functioning of our site. You can oppose them and delete them via your browser settings, but your user experience is liable to be impaired.
An effective cookies policy is designed to alert users of the existence of cookies and the fact that your website collects data in this manner. In addition, the best cookie policies describe how a user can manage their preferences and require affirmative consent.
I think this is a question for Security StackExchange and I note that you've asked similar questions there, recently with an excellent answer from DW. There are plenty of folk on the security.stackexchange.com forum who'll critique your methodology.
I personally wouldn't recommend developing your own session management, in fact I'd advise against it. The "play framework" session management has been reviewed by many folks, whereas yours hasn't and can easily have vulnerabilities that you've simply missed. I would use the built-in session management provided by your chosen programming framework. Have you read the play documentation?
In terms of resources, you should check out the Secure Development Principles from David Rook - here and here.
If you change your mind using cookies, you could look at web keys,, which is a method for inserting an unguessable token into a URL.
When reading Owasp, did you read the latest Session Management cheatsheet? I think that a lot of your questions are answered there.
One final resource is the SANS Top 25 Software Errors.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With