Re: Best practice, (secure), to save session data? [message #178414 is a reply to message #178402] |
Fri, 15 June 2012 20:44 |
Arno Welzel
Messages: 317 Registered: October 2011
Karma:
|
Senior Member |
|
|
Simon, 14.06.2012 10:35:
> We have a site where many users can login/logout, (giving them access to
> their personal information).
>
> The users have 2 choices, either we 'remember' the user after they close
> their browsers or not, (for up to 30 days).
Which means, everybody who copies the cookie has access to the personal
information.
> It was suggested that I base64_encode/base64_decode the data as a cookie
> but I am not sure about the security implications of doing that, (the
> way I see it, if they can get the session cookie then they can just as
> well access the base64_encoded data anyway).
Yep.
> We have an https site, but we also allow login/access via http.
>
> Any tutorial/reading material/suggestions on how I can store logged in
> users credentials.
You can't. Either you ask the user to enter the password/key *always* or
the application becomes less secure, since the only security is that the
cookie is not copied by an attacker. There is no "comfortable" way.
--
Arno Welzel
http://arnowelzel.de
http://de-rec-fahrrad.de
|
|
|