is it safe to store the username/pwd in a encrypted cookie ?
Koxx3 opened this issue · 4 comments
Hello,
I am wondering if it is safe to store the username and password in a encrypted cookie ?
could a better solution be found/used ?
Thanks
Hello, Koxx3.
First of all, I'm not sure what cookie are you talking about. Most likely - no, not safe and better use SCRAM approach.
Secondly, please use mailing lists to ask questions about the daemon and nginx usage.
Thank you!
@oxpa, hello!
- I did't find "mailing lists" for this project :(
- It is a cookie called
nginxauth
Quote from article from nginx blog
The backend daemon constructs a string of the format username:password, applies Base64 encoding, generates a cookie called nginxauth with its value set to the encoded string, and sends the cookie to the client. It sets the httponly flag to prevent use of JavaScript to read or manipulate the cookie (protecting against the cross‑site scripting [XSS] vulnerability).
I'm wondering that it don't use Token/Session/Cookie based authentication, but plain save creditionals to cookie and recall auth backend for each request.
Maybe, i did't right understand something?
@Koxx3, hello!
Did you add some for save authentication result for your solution?