Safely storing a password

Is there a safe way to store a password in a CFCOOKIE? I'd like to include a "Remember Me" feature in my login page, and the easiest way to do it is to set the username and password in a cookie. But when I do that the password is stored in plain text. Is there a better way?

If the application is sensitive at all, do NOT store the password in a cookie. Cookies are plain text and very easy to view/intercept/modify. I would store the user's login status as a client variable and use that to determine whether to let them in or not on repeat visits. This way their password is not kept in the cookie, just the login status.

That's what I figure, but I didn't know if there was a way to hash it and decrypt it.
Will a client variable still work after the session has expired though?

Yes, client variables are not tied to session variables, though they are similar. You can sort of think of client variables as "across multiple session" variables. They're ususally stored in a database, though they are stored in the system registry by default (not a good idea, use a database). The only caveat of using client vars is that you can't store complex data types, only simple values like strings. That means so structures, arrays, querys, etc. Though given what you're trying to do this should not affect you.

You COULD encrypt the password in the cookie, but that probably wouldn't gain you anything because you'd also have to store the "seed" that you used in the hash along with the hashed password in the cookie, in order to decrypt it again. Which sort of makes the whole process useless (beyond simple obfuscation).

Regards,

Brian

As kiteless suggested, it's typically not good idea to store important information in cookies. Information stored in cookies are stored on the client machine, and the browser exchanges this information with the server in plain text. But, if you're not using SSL, passwords are even exchanged as plaing text upon login.

When using <CFAPPLICATOIN>, by default two cookies are set on the client, 1) Cookie.CFID and 2) Cookie.CFTOKEN. These two cookies store numbers that are unique to a visitor. These cookies help the CF server to determine which client and session variables stored on the server belong a user. By default, client variables are stored in the registry, and is a bad thing in windows, b/c if the registry becomes too big, it may become corrupt. In the CF administrator, you can specify how long to keep client variables before purging them.

You shouldn't have to set the password as a cookie or client variables. You should be able to set a variable called client.userid (using the value of the field in the db that is the primary key for a user).

Maybe in application.cfm, you can set <cfparam name="client.userid" default="0">. One use of <cfparam> checks to see if a variable is already defined, and if it isn't, sets a default value.

then you can do somehting like

<cfif client.userid>
<cflocation url="somepage.cfm">
</cfif>

Notice I didn't use an EQ here. If client.userid is any positive integer, then the condition will be true. By client.userid being defined, they have obviously been to the site before, so you can pull from the database, set session variables, or perform some other action based on client.userid and they possibly perform another <cflocation>


A Note About Passwords In General

When storing passwords in the database, I typically use CF's Hash() function. You can not decrypt what the Hash() function has encrypted. To compare passwords, I typically Hash() what's passed at login and compared it to the encrypted string that's stored in the database. Since you can not decrypt what's stored in the database, you can not retrieve a user's password, but instead, what I usually do is generate a new one, an automated process.

One More Note

While complex objects (structures, arrays, queries) can not be stored as client variables, they can be converted to wddx packets and the wddx packet can be stored as a client variable since a wddx packet is simply an XML parsed string.