locked
What to Store in Cookie? RRS feed

  • Question

  • User-809550105 posted

    I am storing user's emailid which works like primary key in Cookie. But I am encrypting it using machine Key:

    <machineKey validationKey="02563BE791F7F0D2026A4BEC62A6F4062041796B48FB8105E28555E82834848D3C6D556C7B692AC71BB8F71FAACD6CE2E2435AC5D580645FEBEAEF6ABB6A34AB" decryptionKey="2509D534AB99251AB2E2FB01E67AC9CC11A476993D46AF67585206BEEF2930A6" validation="SHA1" decryption="AES"/>

    I want to Know that is it insecure to store email in cookie using this machine key ?

    Tuesday, November 20, 2012 12:55 AM

Answers

  • User-821857111 posted

    You shouldn't generally use cookies for storing sensitive data. Use Session for that instead. 

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Tuesday, November 20, 2012 1:16 AM
  • User-1002157272 posted

    Yes machine key is a very secure api, especially the .net 4.5 version :) although YOUR machinekey might not be secure having posted it's value in a public forum lol. I'd suggest changing it for safety sake. But yes, machine key api is definitely secure.

    I still wouldn't suggest storing any sensitive information in a cookie though, just in case.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Tuesday, November 20, 2012 2:04 AM

All replies

  • User-821857111 posted

    You shouldn't generally use cookies for storing sensitive data. Use Session for that instead. 

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Tuesday, November 20, 2012 1:16 AM
  • User-809550105 posted

    I am using Session but it keeps on expiring before the time so user logs out after it. This is why i am using cookie. Does the machine key encrypt my cookie ?

    Tuesday, November 20, 2012 1:22 AM
  • User-1002157272 posted

    By default yes, unless you configure your app to do otherwise. The default implementations will leverage the machinekey api. You can also manually call on the machinekey api and do it yourself (as I assumed you were doing from your original post). The machine key will also be used for encrypting viewstate, etc.

    Tuesday, November 20, 2012 1:35 AM
  • User-809550105 posted

    Like i am using machine key now and is it secure now ?

    Tuesday, November 20, 2012 1:43 AM
  • User-1002157272 posted

    Yes machine key is a very secure api, especially the .net 4.5 version :) although YOUR machinekey might not be secure having posted it's value in a public forum lol. I'd suggest changing it for safety sake. But yes, machine key api is definitely secure.

    I still wouldn't suggest storing any sensitive information in a cookie though, just in case.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Tuesday, November 20, 2012 2:04 AM
  • User347897345 posted

    You can increase the timeout of the session in the web.config. It will make you independent of thinking about cookies

    <system.web>
     <sessionState mode="InProc" cookieless="false" timeout="80" />
    </system.web>

    Wednesday, November 21, 2012 4:18 AM
  • User-126879547 posted

    Please  refer

    http://msdn.microsoft.com/en-us/library/ms178194(v=vs.100).aspx

    http://msdn.microsoft.com/en-us/library/78c837bd(v=vs.100).aspx

    http://www.codeproject.com/Articles/244904/Cookies-in-ASP-NET

    Wednesday, November 21, 2012 6:39 AM