Menu
Experts,
We want a more secure login system for our future projects, rather than using session states to tell if the user is logged in or not. If my understanding is correct, once a user is authenticated via forms authentication, a cookie is generated on the users machine. How secure is that? Is the cookie susceptible to a form of hijacking similar to session hijacking? What if the user doesn't accept cookies? Is there a better method I should take a look at?
Thanks in advance.
402
The short answer is it's as safe as you make it. Most form based authentication systems use cookies to maintain a session with the end-users, but you could use other techniques if you choose to do so.
For cookie based authentication you need to create some kind of token that identifies the authenticated user. This token needs to be something that cannot be easily guessed. This token can be passed in a cookie or stored in a session, in which case a session cookie is stored on the clients machine and the authentication token is access only on the server-side of the connection. If you don't want the cookie to be captured by an ease-dropper then you can make the cookie Secure and HttpOnly, the former only gets sent over HTTPS, and the latter makes the cookie inaccessible from JavaScript.
If the end-user does not accept cookies then the session id is usually put in the URL which is not safe.
Take a look at this link Session Fixation
85
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
