hello i have to create a "remeber me login" asp script, have read many scripts about this procedure and have see that many people use to store username and password inside a cookie. In my opinion it is not secure (safety), some advice
A:
You don't need to store the password. You only need the username and if you make sure that it is properly encrypted it is OK to save it in a cookie. It is important for the user to not be able tamper with the value and if he does the server should detect it. SHA1 for HMAC generation and AES for encryption are commonly used algorithms.
Darin Dimitrov
2010-10-07 10:05:09
how can encrypted username?
Max
2010-10-07 10:09:09
A:
It's best practice NOT to store usernames and passwords in client side cookies. Store some kind of opaque reference instead that matches something in your server side authentication database.
Even better still encrypt this value before storing it in a cookie.
Kev
2010-10-07 10:08:07