Note
I have a very good understanding of sessions and the theory of secure authentication on websites, etc., so please do not start with the basics or give mixed answers. I am not looking for best practices because I know them. I look for real risks associated with them that make best practices what they are.
I have read and agree with the principles that no more than a session identifier should be stored in a cookie at any given time.
History
However ... I inherited a rusty old application that stores the username, password and optional cookie ID, which is checked on all sites as verification / authorization.
This site is always (maybe) only accessible via HTTPS, and depending on your position, this is a low risk website.
An application in its current state cannot be rewritten in such a way as to process sessions - for the correct implementation of such a thing, it would be necessary, in essence, to rewrite the entire application.
Question
Offering credentials that store their user IDs / passwords in clear text in a cookie is a very bad idea, what are the real risks that a connection is always initiated and managed via HTTPS?
For example: is the only obvious way to compromise this information through physical access to a machine containing a cookie? What are other real risks?
source
share