No, you're reaching. Just because someone may store a user_id in plain text, doesn't lead to the person being auto-logged in if the value is changed. The aspect you're reaching on would be how not to handle cookies, and/or cookie-based logins (and the alternative that is tokens). Something not to be stored in a cookie would've be login credentials (username/email, and password).
Manolis Agkopian Yes, I'm not saying he's wrong, I'm saying why he says storing it as plaintext is wrong. He's reaching for a bad scenario which is an implementation issue, not anything strictly wrong with the value itself.
I don't understand. Are you saying this particular app wouldn't have a user login? A user id is useless unless the user has saved his credentials on that particular pc and account login.
gist.github.com/sweetcode/137a70417d72f2fee09e - You can use this class to encrypt and decrypt data. It's maybe a security plus when you stored encrypted data in your cookies.
What about storing access tokens in a cookie? I think that randomly generated access tokens can be safely stored into a cookie instead of a session, right?
+LowselingTech Access tokens can be stored in a cookie but it's best to store two separate values (identifier and hash) in a table and have them both within the cookie. That way, it's harder to attempt to guess one value. You could also then implement throttling, so if a token is incorrect for a particular identifier x amount of times, the access token is invalidated in the database.
This is the best series on your channel (dw, I think they're all great). The short, useful lessons have really helped. Thanks.
thanks, this is a serious issue. i learnt something serious just now
This is just brilliant. Although I already knew a lot of these things , always is good to see the video like this.
Best of luck,
This is very helpful.
Please do more of this series.
:)
No, you're reaching. Just because someone may store a user_id in plain text, doesn't lead to the person being auto-logged in if the value is changed. The aspect you're reaching on would be how not to handle cookies, and/or cookie-based logins (and the alternative that is tokens). Something not to be stored in a cookie would've be login credentials (username/email, and password).
Manolis Agkopian Yes, I'm not saying he's wrong, I'm saying why he says storing it as plaintext is wrong. He's reaching for a bad scenario which is an implementation issue, not anything strictly wrong with the value itself.
I'm currently having this problem and I'm looking for a way to store my cookie securely without having anyone understand it
I don't understand. Are you saying this particular app wouldn't have a user login? A user id is useless unless the user has saved his credentials on that particular pc and account login.
That how will I recognize which is on my website ?
gist.github.com/sweetcode/137a70417d72f2fee09e - You can use this class to encrypt and decrypt data. It's maybe a security plus when you stored encrypted data in your cookies.
What about storing access tokens in a cookie? I think that randomly generated access tokens can be safely stored into a cookie instead of a session, right?
+LowselingTech Access tokens can be stored in a cookie but it's best to store two separate values (identifier and hash) in a table and have them both within the cookie. That way, it's harder to attempt to guess one value. You could also then implement throttling, so if a token is incorrect for a particular identifier x amount of times, the access token is invalidated in the database.
***** Ok, thank you very much! :)
but a user_id in a session is safe right? I use a session to login a user and track that id in a $_session
+Leroy Cochlovius Yes! correct sessions are server side files, so the user is unable to modified their session vars.
But every single time the user will have to sign into your website , that's annoying