0

I want to store some of the user information (hashed) in cookie to remember the login to sign in automatically. In order to make it relatively secure, I'd add user browser information with HTTP_USER_AGENT which will be something like: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040803 Firefox/0.9.3 I won't add user IP as the dynamic IP changes everytime. Is there any other user specific information which I can store in hashed cookie to make it bit secure to prevent the cookie stealing etc? Thanks.

Roman
  • 3,764
  • 21
  • 52
  • 71
  • Why store this in a cookie and not on server side? – Pekka Jun 17 '11 at 11:02
  • adding user supplied information doesn't make it any more secure! – vipw Jun 17 '11 at 11:03
  • The useragent is more likely to change (with software updates) than the IP if you ask me – Dunhamzzz Jun 17 '11 at 11:04
  • Read some of the related questions. This question doesn't provide anything now: For example http://stackoverflow.com/questions/6340562/storing-login-information-in-cookies ask the exact same thing – vipw Jun 17 '11 at 11:05
  • @Pekka in a login system, if a user want to remember his login information so that he can login in automatically. so i would need to generate some kind of key to store in browser. if i add some info like user agent, i can assume that it is little secure as it wont work on any other machine with different OS or Browser etc. – Roman Jun 17 '11 at 11:07
  • @vipw my question is just that if there is any other information i can get except user agent. – Roman Jun 17 '11 at 11:08
  • @Roman but why store that information on client side where there's always the risk of it getting altered, instead of on server side connected to the session key? – Pekka Jun 17 '11 at 11:10
  • @Pekka if a user supplies username and password and want that he shouldnt be asked for login again for one week. then isnt the cookie only thing you can use? – Roman Jun 17 '11 at 11:14
  • @Roman I have no problem with the cookie - just the aspect of storing the user agent info in it. The cookie is fine. – Pekka Jun 17 '11 at 11:15
  • @Dunhamzzz doesnt the useragent change only on update of browser software or windows? and i think that doesnt happen everyweek? – Roman Jun 17 '11 at 11:15
  • @Roman mmm, the user agent will contain minor version changes too, so there may be something to this. – Pekka Jun 17 '11 at 11:16
  • @Pekka. i plan to hash some info with salt and store in cookie, such as user id etc. so that i can validate the cookie. the reason for adding user agent info (instead of IP) also in hash is to make it little secure so that it can not be used on other browser/machine. wont it help? – Roman Jun 17 '11 at 11:17
  • @Roman of course it can help, but why store the user agent in a cookie where it can be manipulated, and not on server side? Everything your long-term cookie should contain is *one* random ID. Everything else should be stored on server side – Pekka Jun 17 '11 at 11:19
  • @Pekka I was thinking to add the user agent in the salt to hash the cookie with ID etc. – Roman Jun 17 '11 at 11:31

1 Answers1

0

This is a perfect example of security through obscurity. It does not make the system more secure, because the additional info can be easily forged by attackers.

I recommend you to store user ID from the database to session and store session ID in the cookie. That should be enough.

Also, you can make your sessions more secure by applying patches to the most common session attacks:

Ondřej Mirtes
  • 5,054
  • 25
  • 36
  • if i store session ID in cookie, user closes browswer, then the session ID will be different than the stored in the cookie. the idea is to login the user automatically by validating some info from cookie. – Roman Jun 17 '11 at 11:12