Bohdan Linda wrote:
On Thu, May 15, 2008 at 05:40:49PM +0200, Steve Manes wrote:
I keep the user's login credentials in a TripleDES-encrypted,
non-persistent cookie, separate from session data.
This is the approach I am/will be heading to. Having the cookie with login
and password encrypted on user side, HTTPS connection, and what was said
in previous emails about not storing credentials in cookies any ideas of
weak sides? Moreover if parts of decryption keys will be unique to the
sessions and stored in session on a server?
No security is 100% and neither is my solution. Given enough time,
interest and computer time it could be hacked.
But we used similar tamper-proof credentials security on three large,
hacker-infested community web sites which together logged up to .75
billion page views/month. Everything else under the sun got hacked but
this encrypted cookie never was (we had watchdogs sniffing for mangled
cred cookies). It was just too much work.