Permanent cookies security problems
One of the most comfortable things on the Internet is the opportunity to enter our protected panels around the world without typing each time our username or password, because it saves time, it is not annoying, we forgot the password for that site, do not need to check our password manager to retrieve login details for every site we sign up or we are lazy and so on.
Everybody knows this can be obtained by use of a permanent cookie inside visitor's browser, as well as that relying only on a cookie it is not a good idea about security, because of the easiness to steal people's cookies by use of cross-site scripting on poorly designed websites, even if ours does not fall in that category.
On many websites, forums or books they say that a double check on cookie and IP address of the calling visitor should be enough to guarantee a certain level of security. I am concerned about this, as I think it is useless for private visitors and potentially dangerous for company's employees.
Private surfers are usually assigned with a dynamic IP address by theirs connection providers each time they connect to the Internet, so the possibility to receive consecutively the same IP address is very low. Because of this, the double check will very probably fail and visitors will need to re-login.
On the other side, company employees connect from behind an intranet firewall, which externally identifies itself with the same static IP address and internally redirect the traffic dynamically thanks to IP masquerading and internal DHCP. This means that any other computer than mine behind the firewall may act as mine, if they take my cookies, and the double security check will miserably fail.
Finally, if you had the patience to read until now, the question I would like to propose is: which kind of other security checks (other than cookies and IP address) can be done to ensure the identity of the visitor connecting to the website? Or we are doomed to oblige our visitors to provide login details each time they connect in order to avoid potential security problems?
Thanks in advance for your replies.
most browsers offer to remember your passwords these days.
if you must, at least use localStorage instead of document.cookie to avoid packet sniffing revelation of cookie data.
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)
Tags for this Thread