Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Is it advisable to store a hashed password in a cookie?

Tags:

security

cookies

hash

encryption

I want user's to be able to select a "remember me" box on my website so they need not log in each time they come. So, I need to store a unique ID in a cookie to identify them. Is it safe to hash their password with sha512 and a long salt in PHP and store that value in the cookie? If the cookie was stolen, would their password be at risk? Obviously it must be connected to their password somehow, otherwise if the cookie value was guessed or stolen, the user would not be able to stop someone else logging in.

Also, is it advisable to use a GUID at all as the unique identifier?

Thanks, Ben

like image 658
Ben Avatar asked Mar 02 '10 04:03

Ben

People also ask

Is it safe to store password in cookie?

You should never store sensitive data in a cookie, such as user names, passwords, credit card numbers, and so on. Do not put anything in a cookie that should not be in the hands of a user or of someone who might somehow steal the cookie. Similarly, be suspicious of information you get out of a cookie.

Should cookies be hashed?

Why Is Cookie Hashing Important? Cookie hashing provides increased security and privacy over non-hashed cookies because a cookie hash can only be decoded and read by the website that created it.

Is Storing hashed passwords safe?

Hashing and encryption both provide ways to keep sensitive data safe. However, in almost all circumstances, passwords should be hashed, NOT encrypted. Hashing is a one-way function (i.e., it is impossible to "decrypt" a hash and obtain the original plaintext value). Hashing is appropriate for password validation.

How are hashed passwords stored?

Hashing allows passwords to be stored in a format that can't be reversed at any reasonable amount of time or cost for a hacker. Hashing algorithms turn the plaintext password into an output of characters of a fixed length.

1 Answers

Remember, the hash of the password is effectively the same as their password. Somebody who stole the hash would have the same access to the user's account as if they had stolen their password. Therefore it is not advisable to store a hash of the user's password in a cookie unless there was some other information not stored with the cookie that is used to authenticate (i.e. 2-factor authentication).

like image 175
Gabe Avatar answered Sep 28 '22 04:09

Gabe
Sign in to Comment

Related questions

How to Prevent CSRF in Play [2.0] Using Scala?
Can you trust file size given by $_FILES array in PHP?
How to demonstrate a CSRF attack
Securely creating and destroying login sessions in PHP
Is exposing a session's CSRF-protection token safe?
Am I using PHP's crypt() function correctly?
Correct use of WebSecurity in WebSecurityConfigurerAdapter
Pin Generation
Security Concerns When Working With New Technologies
Secure credential storage in python
Put CSRF into Headers in Spring 4.0.3 + Spring Security 3.2.3 + Thymeleaf 2.1.2
Brute-force/DoS prevention in PHP [closed]
LdapAuthenticationProvider throws NullPointerException at AbstractContextSource.getReadOnlyContext
AWS Security group include another Security Group
Could a random sleep prevent timing attacks?
How safe is Greasemonkey?
nonce usage in authentication
SHA256 in Swift - Importing framework issue
Sanitizing HTML input value
Web security, are there issues with hidden fields (no sensitive data)?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!