Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

A cookie is typically a short string. If it contains sensitive information, that information should be encrypted. Sensitive information includes user names, passwords, credit card numbers, social security numbers, and any other personally identifiable information about the user. For more details about managing passwords, see 13. Store passwords using a hash function. For more information about securing the memory that holds sensitive information, see 01. Limit the lifetime of sensitive data.

Noncompliant Code Example

In this noncompliant code example, the login servlet stores the user name and password in the cookie to identify the user for subsequent requests:

...

However, the attempt to implement the remember-me functionality is insecure because an attacker with access to the client machine can obtain this informationdirectly on the client. This code also violates 13. Store passwords using a hash function.

Compliant Solution (Session)

This compliant solution implements the remember-me functionality by storing the user name and a secure random string in the cookie. It also maintains state in the session using HttpSession:

...

This solution avoids session-fixation attacks by invalidating the current session and creating a new session. It also reduces the window during which an attacker could perform a session-hijacking attack by setting the session timeout to fifteen minutes between client accesses.

Applicability

Storing unencrypted sensitive information on the client makes this information available to anyone who can attack the client.

Bibliography

...