3

Is there any use case where you would store hashed credentials in a cookie?

EDIT

I was discussing this problem with a colleague if it's advisable to do this. Since then, I found an example where a hashed password was used in the cookie.

Why would you even store hashed passwords inside a cookie?

Cookie Settings

HTTP502
  • 31
  • 2
  • 3
    Define "credentials". Session identifiers could be seen as credentials, in which case the answer is "yeah, pretty much always". If you're talking about passwords, then no, don't do that. – AndrolGenhald Feb 08 '19 at 16:09
  • I assume the asked is referring to username+password as credentials. I don't know of any valid use case for storing a hash of username+password in a cookie. – Daisetsu Feb 08 '19 at 16:25
  • not a good idea, imagine a xss attack like browser.cookies.getAll() – osanger Feb 08 '19 at 16:27
  • 3
    Just asking "is there any use case for ..." without any kind of context is a bit strange in my opinion. Either you stumbled over some application which behaves this way or some developer suggested this to you to solve a particular problem or you found some example code which does this and wonder where such thing could be used or ... . Please add this kind of missing context to your question. – Steffen Ullrich Feb 08 '19 at 17:59
  • I meant usernames and their corresponding passwords. Sorry for the confusion. Sorry for not providing the relevant information - This question came up in an discussion about securely using cookies. – HTTP502 Feb 11 '19 at 08:36
  • @HTTP502 In that case this may be relevant. There's really no good reason to store passwords or password hashes in cookies, although it's hard to be 100% sure that's what's going on in your screenshot without testing a valid password against the hash. It could just be a poorly named cookie. – AndrolGenhald Feb 12 '19 at 15:29
  • @AndrolGenhald thanks for your information. I changed the password and the hash inside the cookie changed as well. So I hardly asume, that this was the hashed password. – HTTP502 Feb 15 '19 at 12:00

0 Answers0