It's NOT secure to store passwords in cookies because they are available as plain text.

将密码存储在 cookie 中是不安全的，因为它们以纯文本形式提供。

A good place to find some answers about cookies is Cookie Central.For membership usually is used a cookie with a long string called 'token' that is issued from the website when you provide your user name and password. More about the process you can find in this article. When using forms authentication in ASP.NET you can set the authentication cookie like this:

寻找有关 cookie 的一些答案的好地方是Cookie Central。对于会员资格，通常使用带有名为“令牌”的长字符串的 cookie，当您提供用户名和密码时，该 cookie 会从网站发布。您可以在本文中找到有关该过程的更多信息。在 ASP.NET 中使用表单身份验证时，您可以像这样设置身份验证 cookie：

FormsAuthentication.SetAuthCookie(userName, isPersistanceCookie);

The second parameter is used for "Remember Me" functionality - if true it will create persistent cookies that will last after you leave the site. You can also programatically manipulate the cookie like this:

第二个参数用于“记住我”功能 - 如果为 true，它将创建持久性 cookie，在您离开站点后将持续存在。您还可以像这样以编程方式操作 cookie：

HttpCookie authCookie =
  HttpContext.Current.Request.Cookies[FormsAuthentication.FormsCookieName];

This is what you should never do, because it is very easy to change the value of a cookie and send back to server. Even storing "user is looged in as 'naivists'" in a cookie is wrong, because I could then change it to "user is logged in as 'Pandiya Chendur'".

这是您永远不应该做的事情，因为更改 cookie 的值并将其发送回服务器非常容易。即使在 cookie 中存储“用户作为 'naivists' 闯入”也是错误的，因为我可以将其更改为“用户以 'Pandiya Chendur' 身份登录”。

What you can do in cookies is give information to clients that, even if changed, does not make sense to the server. For instance - favourite color, first page layout et cetera.

您可以在 cookie 中做的是向客户端提供即使更改后对服务器也没有意义的信息。例如 - 最喜欢的颜色、首页布局等等。

You may give them session ID which is stored in a cookie, because they cannot make anything better for themselves, if they change the value to something else (unless they know a valid session ID from another session).

您可以给他们存储在 cookie 中的会话 ID，因为如果他们将值更改为其他值（除非他们知道来自另一个会话的有效会话 ID），他们无法为自己做任何更好的事情。

What Microsoft's MSDN says about using cookies:

Microsoft 的 MSDN关于使用 cookie 的说明：

The security issues with cookies are similar to those of getting data from the client. In your application, cookies are another form of user input and are therefore subject to examining and spoofing. A user can as a minimum see the data that you store in a cookie, since the cookie is available on the user's own computer. The user can also change the cookie before the browser sends it to you.

You should never store sensitive data in a cookie, such as user names, passwords, credit card numbers, and so on. Do not put anything in a cookie that should not be in the hands of a user or of someone who might somehow steal the cookie.

Similarly, be suspicious of information you get out of a cookie. Do not assume that the data is the same as when you wrote it out; use the same safeguards in working with cookie values that you would with data that a user has typed into a Web page. The examples earlier in this topic showed HTML-encoding the contents of a cookie before displaying the value in a page, as you would before displaying any information you get from users.

Cookies are sent between browser and server as plain text, and anyone who can intercept your Web traffic can read the cookie. You can set a cookie property that causes the cookie to be transmitted only if the connection uses the Secure Sockets Layer (SSL). SSL does not protect the cookie from being read or manipulated while it is on the user's computer, but it does prevent the cookie from being read while in transit because the cookie is encrypted. For more information, see Basic Security Practices for Web Applications.

cookie 的安全问题类似于从客户端获取数据的安全问题。在您的应用程序中，cookie 是另一种形式的用户输入，因此会受到检查和欺骗。用户至少可以看到您存储在 cookie 中的数据，因为 cookie 在用户自己的计算机上可用。用户还可以在浏览器将 cookie 发送给您之前更改 cookie。

您永远不应在 cookie 中存储敏感数据，例如用户名、密码、信用卡号等。不要将任何不应该在用户或可能以某种方式窃取 cookie 的人手中的东西放入 cookie。

同样，对您从 cookie 中获得的信息保持怀疑。不要假设数据和你写出来的时候一样；在处理 cookie 值时使用与处理用户输入到网页中的数据相同的保护措施。本主题前面的示例显示了在页面中显示值之前对 cookie 的内容进行 HTML 编码，就像在显示从用户那里获得的任何信息之前一样。

Cookie 以纯文本形式在浏览器和服务器之间发送，任何可以拦截您的 Web 流量的人都可以读取该 Cookie。您可以设置一个 cookie 属性，该属性仅在连接使用安全套接字层 (SSL) 时才传输 cookie。SSL 不能防止 cookie 在用户计算机上被读取或操纵，但它确实可以防止 cookie 在传输过程中被读取，因为 cookie 是加密的。有关更多信息，请参阅 Web 应用程序的基本安全实践。

No! Don't store passwords in cookies!

不！不要将密码存储在 cookie 中！

In ASP.NET, use

在 ASP.NET 中，使用

FormsAuthentication.SetAuthCookie(username, true);

The second argument's value determines if the cookie is persistent (the remember me checkbox's value).

第二个参数的值确定 cookie 是否持久（记住我复选框的值）。

It is not at all secure. Cookies are stored in the client computer, which can be tampered with.

它根本不安全。Cookie 存储在客户端计算机中，可以被篡改。

No, not remotely secure. You have no guarantee that cookies aren't stored in plain text (and in fact, most implementations dostore them as plain text).

不，不远程安全。您无法保证 cookie 不会以纯文本形式存储（事实上，大多数实现确实将它们存储为纯文本）。

Mind you, "remember me" is inherently insecure, as anyone intercepting the cookie gets access to the application. But exposing a user's password takes it a step further down the insecurity ladder. :-) And probably makes the user really mad, if they find out.

请注意，“记住我”本质上是不安全的，因为任何拦截 cookie 的人都可以访问应用程序。但是暴露用户的密码会使不安全的阶梯更进一步。:-) 如果他们发现，可能会让用户非常生气。

I use an encrypted cookie string which incorporates the user's account name combined with a token that is in no (other) way associated with the user's account except in a table on my server. When the user returns to the site, we decrypt the cookie and look up whether that token is in fact associated with that account. The token (and therefore cookie) changes every auto-login, and invalidates the one used for that auto-login. (There's a many-to-one relationship between the tokens and the account, to allow for auto-login from multiple locations. You could limit that if you like.) Tokens time out if they aren't used within X days. (This is not only done by limiting the duration of the cookie; it's done server-side as well.) There are a few other things I throw in there to make life a bitdifficult for someone trying to decode the cookie (having successfully decrypted it) or use a stolen cookie (which doesn't require decryption), but there's no point in going overkill (again, "remember me" is inherently insecure).

我使用了一个加密的 cookie 字符串，它结合了用户的帐户名和一个令牌，除了在我的服务器上的表中之外，该令牌与用户的帐户没有任何（其他）关联。当用户返回站点时，我们会解密 cookie 并查找该令牌实际上是否与该帐户相关联。令牌（因此 cookie）会更改每次自动登录，并使用于该自动登录的令牌无效。（令牌和帐户之间存在多对一的关系，以允许从多个位置自动登录。如果您愿意，您可以限制它。）如果在 X 天内没有使用令牌，它们就会超时。（这不仅限制cookie的持续时间完成的;它做服务器端也。）有一些其他的东西我扔在那里让生活有点对于试图解码 cookie（已成功解密）或使用被盗 cookie（不需要解密）的人来说，这很困难，但没有必要过度杀伤（同样，“记住我”本质上是不安全的）。

I use that on a site where robust security is not really necessary (obviously) and which has a large number of dynamic-IP clients, and so I don't try to lock it down to an IP. But even locking it down to an IP doesn't make it secure, it just reduces the attack surface a bit.

我在一个不需要强大安全性（显然）并且具有大量动态 IP 客户端的站点上使用它，因此我不会尝试将其锁定到 IP。但即使将其锁定到某个 IP 也不能使其安全，它只是稍微减少了攻击面。

You may be wondering why I have the username in the cookie. For straight "remember me" purposes, I wouldn't recommend having it there, even if it is encrypted (after all, it's half of the authentication pair in a username+password system). I was a bit surprised to find it in our cookie when I looked at the format when reminding myself how we did this for this question; but then I saw the comments explaining why it's there and there are reasons unrelated to "remember me" (not necessarily persuasivereasons, in hindsight, but reasons).

您可能想知道为什么我在 cookie 中有用户名。对于直接“记住我”的目的，我不建议将它放在那里，即使它是加密的（毕竟，它是用户名+密码系统中身份验证对的一半）。当我提醒自己我们是如何为这个问题做这件事时，当我查看格式时，我有点惊讶地发现它在我们的 cookie 中；但后来我看到评论解释了为什么它在那里，并且有一些与“记住我”无关的原因（事后看来不一定是有说服力的原因，而是原因）。

On a final note, the fact that "remember me" is inherently insecure is one of many reasons why site logs are very important, and why you should require password reverification in the process of allowing changes to important account information (to make it harder for someone having stolen the cookie to take ownership of the account).

最后要注意的是，“记住我”本质上是不安全的，这是站点日志非常重要的众多原因之一，也是为什么在允许更改重要帐户信息的过程中需要重新验证密码（使更改更难）有人窃取了 cookie 以获得帐户的所有权）。

It's not secure to store passwords in cookies cause they are available as plain text. but if your preferred criteria is to do so or any user requirement is there you can do so by encrypting the strings. that can make this safe enough.

将密码存储在 cookie 中是不安全的，因为它们以纯文本形式提供。但如果您的首选标准是这样做或有任何用户要求，您可以通过加密字符串来实现。这可以使这足够安全。

but it is not recommended,

但不推荐，

I think you need to create a token with username and an encrypted authentication string which you get from windows Identity. No need to store password on cookie. We have our application which stored username and authenticated string

我认为您需要创建一个带有用户名和加密身份验证字符串的令牌，该字符串是从 Windows Identity 中获得的。无需在 cookie 上存储密码。我们有我们的应用程序，它存储了用户名和经过身份验证的字符串

Btw, store passwords isn't secure everywhere, both client and server-side.

顺便说一句，无论是客户端还是服务器端，存储密码都不是处处安全的。

You don't need to do that.

你不需要这样做。

What Branislavsaid, and...

什么布拉尼说，和...

In addition to not putting sensitive data in your cookies, you should also secure them by placing at least the following in your web.config:

除了不要将敏感数据放入 cookie 之外，您还应该通过在 web.config 中至少放置以下内容来保护它们：

<httpCookies httpOnlyCookies="true" />

For more details see: How exactly do you configure httpOnlyCookies in ASP.NET?

有关更多详细信息，请参阅：您如何在 ASP.NET 中准确配置 httpOnlyCookies？

• If you use SSL which you should if you are transmitting any secure information, that eliminates a third party from listening to your web traffic. This would be the same issue regardless of storing a users credentials in a cookie because when they login your sending their username and password to the server anyway, where I assume the server hashes it and compares it against the hashed password you have for that user.

• Other domains will never be able to read your cookie because of cross-origin so that's not an issue.

• So really the only "security hole" if you want to call it that is if someone physically gains access to their computer. If that happens they're most likely going to get any information that want from that person anyway. How do you explain when chrome auto fills out login forms for you, is that secure? I'm sure they are not storing it in plain text but that doesn't even matter. If you go to a page that chrome auto fills you can just copy the password out of the form and look at that you now have that persons password.

• It really comes down to how "secure" you need it to be. I agree that encrypting a users information with an expiration as a token is the best way to authenticate service calls and it provides flexibility. I just do not see the issue with storing login credentials in a cookie.

• 如果您在传输任何安全信息时使用 SSL，则应避免第三方监听您的网络流量。无论将用户凭据存储在 cookie 中，这都是相同的问题，因为当他们登录时，您无论如何都会将他们的用户名和密码发送到服务器，我假设服务器对其进行散列并将其与您为该用户拥有的散列密码进行比较。

• 由于跨域，其他域将永远无法读取您的 cookie，因此这不是问题。

• 所以真正唯一的“安全漏洞”，如果你想称之为，那就是有人可以物理地访问他们的计算机。如果发生这种情况，他们很可能会从那个人那里得到任何想要的信息。你如何解释 chrome auto 为你填写登录表单时，是否安全？我确定他们不会以纯文本形式存储它，但这甚至无关紧要。如果您转到 chrome 自动填充的页面，您只需从表单中复制密码，然后查看您现在是否拥有该人的密码。

• 这真的归结为您需要它有多“安全”。我同意将到期的用户信息加密为令牌是验证服务调用的最佳方式，它提供了灵活性。我只是没有看到将登录凭据存储在 cookie 中的问题。