Creating a secure login cookie

Question

Creating a secure login cookie

I recently read Jeff's article on XSS , and it made me think about how best to protect cookies to log in to my authentication system.

Basically what I am doing now is (note: everything is configurable and currently set to true):

     protected static string ComputeLoginHash(string passwordhash){
        StringBuilder sb=new StringBuilder();
        sb.Append(passwordhash);
        if(CookieUseIP){
            sb.Append(HttpContext.Current.Request.UserHostAddress);
        }
        if(CookieUseBase){
            sb.Append(HttpContext.Current.Request.MapPath("/"));
        }
        if(CookieUseBrowserInfo){
            sb.Append(HttpContext.Current.Request.UserAgent);
        }
        sb.Append(SiteName);
        return ComputeHash(sb.ToString());
    }

(note that passwordhash is made up of password, unique salt and username).

, , , - UserAgent. ? , UserAgent (, , )? , cookie , . ? , cookie, .

+3

security authentication cookies asp.net

Earlz 05 . '11 3:56

1

rook · Accepted Answer · 2011-03-05T04:10:27+0000

, . , .

ComputeLoginHash() cookie, . / , cookie, -. . , .

cookie nonce, (, , ). http-only cookie, thwart xss. sts-header, https , , OWASP A9. , . , .

Creating a secure login cookie

More articles: