0

A commonly repeated advice over the web is not to store usernames in cookies.

However, I don't really understand the problem. What I'm doing in my web application is: I generate a 16-byte (converted to 32-bit hex) random session ID generated from a CSPRNG, and store the username and this session ID in cookies.

Needless to say is the fact that the existence of the session ID and its correlation with the user is checked from a database before performing any actions in the web application. I'm doing this to speed up the database access a bit, and to protect against the problem of collisions, where an user may find themselves authorized as a different user due to an accidental collision.

What is the weakness in this scheme?

1 Answers1

0

People who say that are confused. You need to not blindly trust data stored in cookies for important operations, but storing non-confidential (and the username is not confidential) information in a cookie for convenience is fine. Just don't use it for security decisions without validating it first.

So, storing the username in a cookie to say "Welcome Alice, please log in." is fine. But trusting that the user is Alice just because a cookie says that is not. In that case, it would be too easy for Mallory to set their cookie to "Alice" and get access to Alice's account.

Neil Smithline
  • 14,842
  • 4
  • 39
  • 55