Author

Message

Rocket Man

Posts: 383

Posted on: 2012-10-10 20:56:22.000

Cookie security is something many sites don't bother with, because who would ever fake a cookie? Well, as it turns out, a lot of people could do just that.

Cookie security best practices have been known for a while. This article from 2005 lays them out pretty nicely: http://fishbowl.pastiche.org/2004/01/19/persistent_login_cookie_best_practice/

Basically, you want to have a random number as your cookie, but then the value should not just be the user Id. It should be hard to guess. And what if a user registers and then copies your carefully-selected random number cookie but just changes the user id? Then they could log in as any user they wanted!

So what we do is add some salt to the cookie in the form of ANOTHER random number, each one unique to each user. The salt is stored in the user database, so it isn't available to the public. This makes every cookie unique for each user.

You also want to be running everything under SSL (aka https) to avoid issues with people stealing cookies with things like FireSheep over WiFi connections, but that's something that can be up to the site administrator.