locked
Cookie RRS feed

  • Question

  • User891103818 posted

    Soooo...

    I'm coding a webform (just for fun) and I created a cookie, which saves the inputs. I learnd, that the cookie saves everything in plaintext, including the password. Is there a possibility to make the cookie save the password "unreadable"?

    Tuesday, September 29, 2015 2:30 AM

All replies

  • User603616845 posted

    Hi,

    Here if you want to make your cookie, does not use by anyone ... than you should use encryption.

    use this code..

    private static void SetEncryptedCookie(string name, string value)
    {
        var encryptName = SomeEncryptionMethod(name);
        Response.Cookies[encryptName].Value = SomeEncryptionMethod(value);
        //set other cookie properties here, expiry &c.
        //Response.Cookies[encryptName].Expires = ...
    }
    
    private static string GetEncryptedCookie(string name)
    {
        //you'll want some checks/exception handling around this
        return SomeDecryptionMethod(Response.Cookies[SomeDecryptionMethod(name)].Value);
    }

    For more refer this link..

    http://www.codeproject.com/Articles/8742/Encrypting-Cookies-to-prevent-tampering

    Mark as answer if it will help you.

    thanks

    Tuesday, September 29, 2015 2:42 AM
  • User1724605321 posted

    Hi Niggi ,

    Is there a possibility to make the cookie save the password "unreadable"?

    It's not secure to store passwords in cookies because they are available as plain text.  In ASP.NET , we could use forms authentication to let you authenticate users by using your own code and then maintain an authentication token in a cookie or in the page URL:

    FormsAuthentication.SetAuthCookie(username, true);

    The second argument's value determines if the cookie is persistent .

    For more details ,you could refer to links below:

    http://stackoverflow.com/questions/3355601/asp-net-remember-me-cookie .

    http://stackoverflow.com/questions/2100356/is-it-secure-to-store-passwords-in-cookies .

    https://msdn.microsoft.com/en-us/library/7t6b43z4.aspx

    Best Regards,

    Nan Yu

    Tuesday, September 29, 2015 3:02 AM
  • User753101303 posted

    Hi,

    #1 you could encrypt the value but then you are doing things the other way round that is you choosed an option and then try to mitigate an issue caused by this possibly bad choice

    #2 or go back to what you want. Do you need it client side (as cookies are a client side storage)? Do you even need to store the password?

    (I understand you may just want to learn about cookies but even though it's a good exercise to first look at your goal and choose the right tool)

    Thursday, December 17, 2015 4:48 PM