As far as I understand, the secret in an authentication cookie is used on the server to check against a database to find the user associated with the secret.
Does this secret need to be encrypted when sent to the client?
Asked
Active
Viewed 34 times
0
charliesneath
- 1,917
- 3
- 21
- 36
-
What type of cookies are you referring to? If it's JSON Web Tokens (JWT) then the secret shouldn't be shared with the client at all. – YSK Apr 20 '17 at 19:34
-
You probably mean session cookies, right? If you use HTTPS, then not. If you don't use HTTPS, then those are not your users' session cookies anymore and network attackers have them already. It doesn't matter whether they are encrypted or not. – Artjom B. Apr 20 '17 at 19:46
-
@ArtjomB. I don't think I mean session cookie; my terminology is off but I mean the cookies that remember when users are logged in (and persist longer than a session). – charliesneath Apr 20 '17 at 20:01
-
1OK, so you're talking about persistent cookies. It probably depends on the way the cookie value is generated/chosen, but I see no reason for encryption when the cookie value (token) is chosen randomly which is how it should be. – Artjom B. Apr 20 '17 at 20:22
-
@ArtjomB. Thanks. [This answer](http://stackoverflow.com/questions/244882/what-is-the-best-way-to-implement-remember-me-for-a-website) ended up answering my questions for me, especially [this link](https://paragonie.com/blog/2015/04/secure-authentication-php-with-long-term-persistence#title.2). – charliesneath Apr 21 '17 at 14:43