Bohdan Linda wrote:
> On Thu, May 15, 2008 at 05:40:49PM +0200, Steve Manes wrote:
>> I keep the user's login credentials in a TripleDES-encrypted,
>> non-persistent cookie, separate from session data.
>
> This is the approach I am/will be heading to. Having the cookie with login
> and password encrypted on user side, HTTPS connection, and what was said
> in previous emails about not storing credentials in cookies any ideas of
> weak sides? Moreover if parts of decryption keys will be unique to the
> sessions and stored in session on a server?
No security is 100% and neither is my solution. Given enough time,
interest and computer time it could be hacked.
But we used similar tamper-proof credentials security on three large,
hacker-infested community web sites which together logged up to .75
billion page views/month. Everything else under the sun got hacked but
this encrypted cookie never was (we had watchdogs sniffing for mangled
cred cookies). It was just too much work.