Is it secure to store passwords in cookies?

ACP picture ACP · Jan 20, 2010 · Viewed 39.4k times · Source

My web application's home page has a RememberMe checkbox. If the user checks it, I willl store email-id and password in cookies. This is my code:

if (this.ChkRememberme != null && this.ChkRememberme.Checked == true)
   {
     HttpCookie cookie = new HttpCookie(TxtUserName.Text, TxtPassword.Text);
     cookie.Expires.AddYears(1);
     Response.Cookies.Add(cookie);
   }

What I want to know is:

  • Is it secure to store passwords in cookies?
  • What is proper way of doing the same?
  • What are the best practices in setting time for a cookie?

Answer

Branislav Abadjimarinov picture Branislav Abadjimarinov · Jan 20, 2010

It's NOT secure to store passwords in cookies because they are available as plain text.

A good place to find some answers about cookies is Cookie Central. For membership usually is used a cookie with a long string called 'token' that is issued from the website when you provide your user name and password. More about the process you can find in this article. When using forms authentication in ASP.NET you can set the authentication cookie like this:

FormsAuthentication.SetAuthCookie(userName, isPersistanceCookie);

The second parameter is used for "Remember Me" functionality - if true it will create persistent cookies that will last after you leave the site. You can also programatically manipulate the cookie like this:

HttpCookie authCookie =
  HttpContext.Current.Request.Cookies[FormsAuthentication.FormsCookieName];