No real reason not to go with AES with 256 bits. Make sure to use this in CBC mode, and PKCS#7 padding. As you said, fast and secure. I have read (not tested) that Blowfish may be marginally faster… However Blowfish has a major drawback of long setup time, which would make it bad for … Read more
First off, you should never store the user’s credentials in a cookie. It’s incredibly insecure. The password will be passed with every request as well as being stored in plain text on the user’s machine. Second, don’t reinvent the wheel, especially when security is concerned, you’ll never get it right. ASP.Net already provides this functionality … Read more
It’s NOT secure to store passwords in cookies because they are available as plain text. A good place to find some answers about cookies is Cookie Central. For membership usually is used a cookie with a long string called ‘token’ that is issued from the website when you provide your user name and password. More … Read more
Update (2017-08-13): To understand why we’re separating selector and token, instead of just using a token, please read this article about splitting tokens to prevent timing attacks on SELECT queries. I’m going to extract the strategy outlined in this blog post about secure long-term authentication since that covers a lot of ground and we’re only … Read more
OK, let me put this bluntly: if you’re putting user data, or anything derived from user data into a cookie for this purpose, you’re doing something wrong. There. I said it. Now we can move on to the actual answer. What’s wrong with hashing user data, you ask? Well, it comes down to exposure surface … Read more
Improved Persistent Login Cookie Best Practice You could use this strategy described here as best practice (2006) or an updated strategy described here (2015): When the user successfully logs in with Remember Me checked, a login cookie is issued in addition to the standard session management cookie. The login cookie contains a series identifier and … Read more