将密码存储在 cookie 中是否安全? [英] Is it secure to store passwords in cookies?

问题描述

我的 Web 应用程序主页有一个 RememberMe 复选框.如果用户检查它，我会将电子邮件 ID 和密码存储在 cookie 中.这是我的代码:

My web application's home page has a RememberMe checkbox. If the user checks it, I willl store email-id and password in cookies. This is my code:

if (this.ChkRememberme != null && this.ChkRememberme.Checked == true)
   {
     HttpCookie cookie = new HttpCookie(TxtUserName.Text, TxtPassword.Text);
     cookie.Expires.AddYears(1);
     Response.Cookies.Add(cookie);
   }

我想知道的是:

• 将密码存储在 cookie 中是否安全?
• 做同样事情的正确方法是什么?
• 设置 Cookie 时间的最佳做法是什么?

推荐答案

将密码存储在 cookie 中并不安全，因为它们以纯文本形式提供.

It's NOT secure to store passwords in cookies because they are available as plain text.

Cookie Central 是查找有关 cookie 的一些答案的好地方. 会员资格通常是当您提供您的用户名和密码时，使用了从网站发出的带有名为令牌"的长字符串的 cookie.您可以在这篇文章中找到有关流程的更多信息.在 ASP.NET 中使用表单身份验证时，您可以像这样设置身份验证 cookie:

A good place to find some answers about cookies is Cookie Central. For membership usually is used a cookie with a long string called 'token' that is issued from the website when you provide your user name and password. More about the process you can find in this article. When using forms authentication in ASP.NET you can set the authentication cookie like this:

FormsAuthentication.SetAuthCookie(userName, isPersistanceCookie);

第二个参数用于记住我".功能 - 如果为 true，它将创建在您离开网站后将持续存在的持久性 cookie.您还可以像这样以编程方式操作 cookie:

The second parameter is used for "Remember Me" functionality - if true it will create persistent cookies that will last after you leave the site. You can also programatically manipulate the cookie like this:

HttpCookie authCookie =
  HttpContext.Current.Request.Cookies[FormsAuthentication.FormsCookieName];

这篇关于将密码存储在 cookie 中是否安全?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！