For the love of god, please secure your cookies.
- If you are going to pass login information via cookie back to the client to insure that the client is going to make it easier for them to login .. Please pass it back via same secure channel over the same SSL stream not over a diff http stream.
- 2nd thing, always and always hash or encrypt the contents of the cookie. So if it is in the clear or if the client gets owned the cookie is that much harder to get Personally Identifiable Information (PII).
- Last, this is as easy as grade 5 HTML class.. Do not name things username, user, pass, password, pw, usr. as these key words are easy to find. It’s better to hide in code.
For all the bad coders out, we love you. You keep us
busy and employed.
No comments:
Post a Comment