Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Why should I use session id in cookie instead of storing login and (hashed) password in cookie?

Tags:

security

session

login

(I was surprised that this question wasn't asked on Stack for now, but I've done some searching and couldn't find anything o.O)

I am working on service-based webapp and I wonder what is the best way for handling user logins. So far I have:

  1. When user login in, they supply creditials. Password is salted and hashed locally, than it's transmit to server over POST (so sniffing users won't be able to retrieve original password ie. to check them on the other sites)
  2. Login and hashed password are stored in cookie with TTL of 15 minutes (revoked every single webaction)
  3. Passwod is server-side salted and hashed again, and than it's compared with password stored in database (so, passwords are double hashed with different salts, this is for someone who'll break into database - they still won't be able to recover login creditionals)
  4. User can do at most 3 login attempts per 5 minutes from single IP
  5. Users get information about last successful and unsuccessful login attempts alongside with date and IP

Someone had noted that it's better to store unique session id instead of hashed password in cookie and I wonder why it is so important - if someone sniff packets, than it's no matter session id or not - they still can get packet from login with all data needed to pose as legitimate users and login themselves. So are there any other advantages of stored session-id approach over storing login and hashed-password in cookie appraoach?

like image 882
PiotrK Avatar asked Oct 30 '12 19:10

PiotrK

People also ask

Should session ID be stored in cookie?

A session ID is a unique number that a Web site's server assigns a specific user for the duration of that user's visit (session). The session ID can be stored as a cookie, form field, or URL (Uniform Resource Locator). Some Web servers generate session IDs by simply incrementing static numbers.

Should I use cookie or session for login?

session login is always preferred, if you specifically do not need any cookie variables to set for your webpage. session login is always preferred, if you specifically do not need any cookie variables to set for your webpage.

Why are sessions preferred over cookies?

Sessions are more secured compared to cookies, as they save data in encrypted form. Cookies are not secure, as data is stored in a text file, and if any unauthorized user gets access to our system, he can temper the data.

Why do we need session ID?

As session IDs are often used to identify a user that has logged into a website, they can be used by an attacker to hijack the session and obtain potential privileges. A session ID is usually a randomly generated string to decrease the probability of obtaining a valid one by means of a brute-force search.

1 Answers

Storing the hashed password as a cookie is very nasty vulnerability and is an OWASP Violation. The whole point in hashing a password is you are forcing the attacker to break the hash in order to login. If the attacker can just pull the hash from the database and then login, then you have a system that is equivalent to storing password in plain text.

Every platform has a session handler, in php just use session_start() and the $_SESSION super global. By writing your own session handler you will be less secure.

like image 119
rook Avatar answered Sep 20 '22 02:09

rook
Sign in to Comment

Related questions

Perl encrypting STDIN passwords
iOS detect mock locations
How to disable access security notice "A Potential security concern has been identified"
benefits of "HTTP authentication with PHP"
User name not found or incorrect password error message too vague
xml vulnerabilities
Storing important secret keys in php files
Is it considered good practice to store passwords in a private Github repository?
Which cloud based, scalable web service is best for DDOS prevention? [closed]
Java: what information in error stack trace do we typically not wish to show users?
Algorithm HmacPBESHA256 not available
Setting 'HttpOnly' and 'Secure' in web.xml
.NET Assembly Plugin Security
Difference between CookieStore Sessions and Encrypted Cookies in Ruby On Rails
How to use setuid() from root to become user, with the possibility of becoming root again later?
What harm can javascript do?
Is there any danger in loading external, third-party CSS?
One way SSL is one way encryption?
Can a PHP file ever be read externally? [closed]
NoSQL Database for Banking System [closed]

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!