2

I am using JQuery Cookies plugin for reading/writing the cookies, I have got below code in which I am storing the username, now I want that it should be encrpted in cookies and will be decrypted while reading.

if ($('#remember').attr('checked')) 
                    {                  
                        $.cookie('username', userNo.val());                    
                        $.cookie('remember', 'true');  
                    } 
                    else 
                    {
                        // reset cookies
                        $.cookie('username', null);                   
                        $.cookie('remember', null);
                    }

Please suggest!!

Manoj Singh
  • 7,569
  • 34
  • 119
  • 198
  • 2
    there is no point is encrypting-decrypting if your whole source is visible !!! – S L Mar 10 '11 at 05:25
  • however you can use something like this http://www.webtoolkit.info/javascript-base64.html – S L Mar 10 '11 at 05:27
  • @experimentx, so you mean we can't have encryption and decryption on client side, any suggestions to do this on serverside – Manoj Singh Mar 10 '11 at 05:33
  • @MKS: What language/framework are you using on the server-side? – Cameron Mar 10 '11 at 05:36
  • @well, if you intend on server side then check this http://stackoverflow.com/questions/5089841/php-2-way-encryption-i-need-to-store-passwords-that-can-be-retrieved/5150459#5150459 I have also tried to answer, but the best answer is by Ircmaxell – S L Mar 10 '11 at 05:42
  • @Cameron, I am using .NET 2.0 and C#. – Manoj Singh Mar 10 '11 at 05:45
  • @MKS: Is the username really sensitive? Your example seems to indicate that the user is checking off some sort of "remember me" checkbox in a login form; in this case, there's not much point in encrypting the username if anyone with access can just navigate to the site and see the pre-entered username – Cameron Mar 10 '11 at 05:45
  • @Cameron, the username above is being entered while login to my website, so just for security I am little concerned, please suggest! – Manoj Singh Mar 10 '11 at 05:58
  • @MKS: Then don't store the username, store a non-sensitive unique identifier instead. See my updated answer (the part about GUIDs) – Cameron Mar 10 '11 at 06:00

1 Answers1

2

There is no way to securely encrypt the data while still having access to it from your Javascript since in order to do so, the (publicly visible) Javascript would have to contain both the decoding algorithm and any secret key used to encrypt the data!

Instead, if you want the data in the cookies to be encrypted, you can encrypt the contents on the server-side, and later decrypt the contents also on the server side. Any secret key on the server cannot be seen by the client (unless they somehow hack in, but then you've got bigger problems...).

Even if the data in the cookies is encrypted, that does not prevent the client from tampering with them; it only prevents the client from knowing what's in them. You can use an HMAC scheme to guarantee that the data has not been tampered with, but that seems like overkill here.

In this situation, you're storing the username as a means of identifying the user later; you could easily construct a random, meaningless value (a "nonce") that uniquely identifies the user and store that instead of the username. .NET's Guid.NewGuid() is good for this -- store one copy in the database, and one in the user's cookie. Then, when the user comes back, you can look up the cookie value in the database and find the correct user (since GUIDs are unique).

Cameron
  • 96,106
  • 25
  • 196
  • 225
  • thanks Cameron, I know that its not secure doing all this stuff from client side, can you please suggest how to do on serverside – Manoj Singh Mar 10 '11 at 06:01
  • @MKS: I can't write the code (it depends too much on how your stuff is set up), but you can a) generate a new GUID when someone logs in if they've checked off "remember me"; b) put the GUID into the database (in a column in your user table); c) put the GUID into a cookie in the response headers (see [HttpCookieCollection](http://msdn.microsoft.com/en-us/library/system.web.httpcookiecollection(v=VS.80).aspx)); d) when the login page is rendered, look at the cookie in the request (if it's there), find the user the GUID in the cookie corresponds to, and prepopulate the field in the HTML repsonse – Cameron Mar 10 '11 at 06:11