If client use cookie auto login for 30 days.hacker could login and change user information when get the client cookies. How to prevent this?
sorry for my bad english! tks in advance!
Asked
Active
Viewed 369 times
3 Answers
0
You should make sure cookies are only ever transmitted over an SSL connection. This is pretty much the only way to prevent cookie hijacking.
Other ways to help prevent (but none will work 100% effectively) is to make sure you use unique identifiers in your cookie that expire. IE, after every login, change their user ID which is stored into their cookie. This means if someone hijacks a cookie, or hijacks old cookies there is a good chance they should have expired.
Tom Gullen
- 56,187
- 79
- 269
- 433
-
there is no point of sending a cookie, unless it can be used to authenticate again. So if the hacker grabs that one, he will gain access. No unique identifier can prevent that really - as you sad. – user492238 Apr 04 '11 at 12:38
0
by not storing any login information on the client pc. At least not automatically. If the user does so, it is up to her. But you should not encourage her to do such unsafe things.
user492238
- 3,928
- 1
- 18
- 24
0
Go here and start reading: The Definitive Guide To Website Authentication
Community
- 1
- 1
SecretDeveloper
- 3,012
- 2
- 28
- 34