Java Reference
In-Depth Information
Cookies donotprotect sensitive information against cross-site scripting (XSS)attacks.
An attacker who is able to obtain a cookie either through an XSS attack, or directly by
attacking the client, can obtain the sensitive information from the server using the cookie.
Thisriskistimeboxediftheserverinvalidatesthesessionafteralimitedtimehaselapsed,
such as 15 minutes.
Acookieistypicallyashortstring.Ifitcontainssensitiveinformation,thatinformation
should be encrypted. Sensitive information includes user names, passwords, credit card
numbers,socialsecuritynumbers,andanyotherpersonallyidentifiable informationabout
the user. For more details about managing passwords, see
Guideline 13
,
“
Store passwords
using a hash function
.” For more information about securing the memory that holds sens-
itive information, see
Guideline 1
, “
Limit the lifetime of sensitive data
.
”
Noncompliant Code Example
In this noncompliant code example, the login servlet stores the user name and password
in the cookie to identify the user for subsequent requests:
protected void doPost(HttpServletRequest request,
HttpServletResponse response) {
// Validate input (omitted)
String username = request.getParameter("username");
char[] password =
request.getParameter("password").toCharArray();
boolean rememberMe =
Boolean.valueOf(request.getParameter("rememberme"));
LoginService loginService = new LoginServiceImpl();
if (rememberMe) {
if (request.getCookies()[0] != null &&
request.getCookies()[0].getValue() != null) {
String[] value =
request.getCookies()[0].getValue().split(";");
if (!loginService.isUserValid(value[0],
value[1].toCharArray())) {
// Set error and return
} else {
// Forward to welcome page
}
