Information Security Asked on October 28, 2021
I’m making an webapp which have to maintain some user specific data, so authentication is needed. My app is not anything mission critical. As this is the case, I thought of removing the whole sign-up/sign-in as it acts as a big barrier for a visitor. Instead the authentication is based solely on cookies. When they access my app, a cookie is set and they are logged in. All their activities are stored in db across their cookie value. So whenever they visit again from the same browser, they will get their customized pages.
I know that they can’t browse from another device, or if they clear cookies they can’t recover account. Let’s say these won’t be problem for me, as there are going to be a handful of initial users. Incase if they face such trouble accessing, I could give them support.
So is it advisible to have cookie only authentication? And also leaving the cookie unchanged (permanent) is fine?
The security of your approach depends on the ability to protect the cookie against misuse by others - similar to how the security of credential based methods (i.e. username and password) depends on the ability to protect these credentials.
Only, nothing is known about your ability to protect the cookie. It is not known if you use HTTPS to protect against extracting the cookie by sniffing the connection. Neither is known if the cookie is httpOnly to protect against extractions by XSS attacks. It is also not known if attacks to the users system are part of the threats you need to worry about since of course this permanent cookie need to be somehow stored at the users system. And then there might be server side problems which might cause cookies to be leaked too.
In summary: it might be safe enough for your specific use case or it might be not. Too few is known about the use case and how the cookie is protected on the client, in transit and on the server.
Answered by Steffen Ullrich on October 28, 2021
Get help from others!
Recent Questions
Recent Answers
© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP