Register

If this is your first visit, please click the Sign Up now button to begin the process of creating your account so you can begin posting on our forums! The Sign Up process will only take up about a minute of two of your time.

Results 1 to 7 of 7
Like Tree2Likes
  • 1 Post By mlseim
  • 1 Post By mlseim

Thread: cookies

  1. #1
    Senior Member
    Join Date
    Apr 2016
    Posts
    717
    Member #
    53891
    Liked
    11 times

    cookies

    are cookies stored on a browser universal? i.e. can a cookie created by facebook be used by twitter or another site.

    I saw on a tutorial that its pretty easy to look up and see what cookies are stored, wouldn't that make it relatively easy to hijack someones stored cookies and get acess to sensitive data like passwords?

  2.  

  3. #2
    WDF Staff mlseim's Avatar
    Join Date
    Apr 2004
    Location
    Cottage Grove, Minnesota
    Posts
    7,717
    Member #
    5580
    Liked
    718 times
    You should not use passwords or even usernames in cookies. Instead, you use a token key, like a 20 character random number that matches the key in your database. That's how you identify the user. Cookies are meant to help people. They can save settings, remember which page or post you are on, basic browser/user information that isn't necessarily secret.


  4. #3
    Unpaid WDF Intern TheGAME1264's Avatar
    Join Date
    Dec 2002
    Location
    Not from USA
    Posts
    14,483
    Member #
    425
    Liked
    2783 times
    That's not totally true. You can use usernames in cookies safely if you know what you're doing and you don't store them in plain text. You could use a two-way encryption algorithm such as Triple DES (3DES) with a customized secret key and initialization vector (or nonce, as some like to call it). This is the encryption algorithm of choice for electronic payments, and I'll use it for usernames and certain other pieces of information. Microsoft also uses it for forms-based authentication (logins, etc.) within ASP.net.

    https://www.asp.net/web-forms/overvi...nced-topics-cs <-- older, but will still give you the general idea.

    So you can use it. It's pretty safe. Mind you, I'm not sure if most other frameworks/languages offer it. I know classic ASP doesn't by default, and I'm not sure about PHP.

    You could also use it as Max suggested as well....generating a token key (or GUID) and making a database call to get the username. The disadvantage to this approach is that you're making a database call every time you need that username. If you're not displaying it on a page or doing anything of that nature, it's not such a big deal...but if you're doing one of those "Welcome back, busso!" deals on your page, the cookie approach is better from a resource standpoint.
    If I've helped you out in any way, please pay it forward. My wife and I are walking for Autism Speaks. Please donate, and thanks.

    If someone helped you out, be sure to "Like" their post and/or help them in kind. The "Like" link is on the bottom right of each post, beside the "Share" link.

    My stuff (well, some of it): My bowling alley site | Canadian Postal Code Info (beta)

  5. #4
    WDF Staff mlseim's Avatar
    Join Date
    Apr 2004
    Location
    Cottage Grove, Minnesota
    Posts
    7,717
    Member #
    5580
    Liked
    718 times
    The database call is only at login or when determining cookie key, once done, it can become a session. There are many uses for cookies and they are a good thing, but have been given a bad rap.
    TheGAME1264 likes this.

  6. #5
    Senior Member Ronald Roe's Avatar
    Join Date
    Mar 2011
    Location
    Oklahoma City
    Posts
    3,141
    Member #
    27197
    Liked
    959 times
    Quote Originally Posted by busso View Post
    are cookies stored on a browser universal? i.e. can a cookie created by facebook be used by twitter or another site.

    I saw on a tutorial that its pretty easy to look up and see what cookies are stored, wouldn't that make it relatively easy to hijack someones stored cookies and get acess to sensitive data like passwords?
    Ever been on Facebook and see an ad show up for something you searched on Amazon? Or a banner ad on a site that does that? That's how that works.
    Ron Roe
    Web Developer
    "If every app were designed using the same design template, oh wait...Bootstrap."

  7. #6
    Senior Member
    Join Date
    Apr 2016
    Posts
    717
    Member #
    53891
    Liked
    11 times
    can one site use cookies created by another site?

  8. #7
    WDF Staff mlseim's Avatar
    Join Date
    Apr 2004
    Location
    Cottage Grove, Minnesota
    Posts
    7,717
    Member #
    5580
    Liked
    718 times
    The technical answer is NO, they can't read another site's cookies.

    But ...

    There are 3rd party cookies, such as used by ad-clicking, and tracking sites. They keep track of where you are clicking to if the site subscribes to their services, such as Google AdSense. That's why if you buy something on Amazon and then go to another unrelated website, you might see ads relating to what you bought on Amazon. You ask yourself "How did they know that"? Both sites might be using AdSense, so the information / cookie is controlled by the tracking site.

    See this:
    web application - Can a webpage read another page&#39;s cookies? - Information Security Stack Exchange
    busso likes this.



Remove Ads

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
All times are GMT -6. The time now is 10:18 PM.
Powered by vBulletin® Version 4.2.3
Copyright © 2019 vBulletin Solutions, Inc. All rights reserved.
vBulletin Skin By: PurevB.com