Is it safe to store the token in cookies?

M

My Way2018-10-24 22:44:49

Information Security

My Way, 2018-10-24 22:44:49

Info:
I have a special field for each user, which is generated during the first authorization and when changing the password. It is needed to compare it with the value in the cookie, and if it matches, then everything is OK, and if not, then we knock out the account from authorization.
This, for example, is necessary when the password has been changed and we log out on all other devices. Otherwise, there is no point in changing the password.
Question:
Can I store this value unencrypted in cookies? Because in fact it does not affect anything except for authorization. This value is also used as a unique identifier in socket.io sockets, and we print it to the console when the socket is successfully connected.
ps I use laravel, I didn’t find a ready-made solution there, I don’t use their local token, which is needed for Remember Me.

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

M

My Way, 2018-10-26
@heyMyWay

Solution for Laravel. It turned out that in version 5.3 they added this check when changing the password, the function is still not documented. Here is the description and solution https://kfirba.me/blog/the-undocumented-authentica...

X

xmoonlight, 2018-10-24
@xmoonlight

1. A token is a token! Whether it's encrypted or not encrypted, it doesn't matter.
2. Other options for auto-logon, except for the saved token on the client side - I do not know.
3. Do not forget to only check the change of the client device with an identical token (so that they do not take it and transfer it to another PC): if the client device is a browser, then the following bundle should help: provider subnet + fingerprint2. The link changes => we request authorization and issue a new token, then we add this token to the account on the server (we don’t touch the old ones, of course).