I don't understand why we have to secure the cookies and session, I have a cookie that store userid, username encrypted password.
I have a function that checks the cookies at any moment if is the information matches with DataBase information, if not, redirect to login page. however I don't understand the risk with that can view this information and what he can do with this information.
Can anyone explain to me what is risk ?
It's hard to quantify in exact terms. First, remember that cookies are transferred between the client and the server in every single request . That's potentially many opportunities for someone to intercept them. Just assume that cookies will be intercepted at some point by somebody.
Storing the username, userid and (encrypted) password in the cookie:
On the other hand, using only a meaningless session id:
In short: session ids present no attack surface at all, since they're inherently meaningless. Userids, names and passwords present a very juicy target. Just from those basic points sessions should seem a lot more appealing. Assuming a perfect implementation with otherwise perfect security, both should be rather secure. However, you do not know what insecurities you have, you won't have perfect security. Assuming this, knowing this, the simpler system with fewer caveats should always be preferable.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.