Cookie :: Need suggestion regarding Cookies

Question

I have an authentication form and for 'remember me' functionality, I want to use cookies which will store username and password.

Here is my question - If I want to keep a cookie for a month, will it be a good idea to store password inside cookie ? Can someone see cookie values and edit them using cookie manager etc tools ? How wise would it be to store passwords in cookies ?

Please suggest. Thanks in advance.

Answer 1

Cookies can easily be viewed and modified by users, for example by the Chrome extension EditThisCookie. Therefore, storing passwords in cookies is probably not a good idea.

You could encrypt the cookie using a server key that is somehow affected by the user name. You would have a base key for cookie encryption/decryption and then maybe salt it with the username stored. Crypto operations would obviously have to be performed on the server.

Probably better is storing a session key in the cookie, still encrypted to prevent theft of cookies from allowing the thief to log in. Have the session key include some information about the user-agent and whatever other info the browser supplies, maybe. Of course, you'll have to keep a table of valid session keys on the server.