I recently read Jeff's article on XSS , and it made me think about how best to protect cookies to log in to my authentication system.
Basically what I am doing now is (note: everything is configurable and currently set to true
):
protected static string ComputeLoginHash(string passwordhash){
StringBuilder sb=new StringBuilder();
sb.Append(passwordhash);
if(CookieUseIP){
sb.Append(HttpContext.Current.Request.UserHostAddress);
}
if(CookieUseBase){
sb.Append(HttpContext.Current.Request.MapPath("/"));
}
if(CookieUseBrowserInfo){
sb.Append(HttpContext.Current.Request.UserAgent);
}
sb.Append(SiteName);
return ComputeHash(sb.ToString());
}
(note that passwordhash is made up of password, unique salt and username).
, , , - UserAgent
. ? , UserAgent (, , )? , cookie , . ? , cookie, .