Is there method to prevent a cookie to be used on another computer?

I put some authentication information in cookie. For security reason, I want to prevent someone copying the cookie to another comput开发者_JAVA百科er and use it to login. How can i do it?

As said before, if you are putting authentication information into cookies in plaintext, you should seriously considering using something like sessions.

Once you have sesssions, perhaps you could associate the session id with an IP address in your backend, and check if the session id and requesting IP address match: that way, if someone copies the cookie containing the session id and then tries to access the site remotely, the session id and IP will not match up, and the authentication will fail.

There is not, You should NEVER put sensitive date in a cookie.

For authentication information you should use sessions.

http://www.tizag.com/phpT/phpsessions.php

You could encrypt the information with a reliable, public, well known algorithm. Then if the cookie was copied, the recipient wouldn't be able to glean any information from it.

Of course this means you need to do the encryption and decryption on a server to keep it secure, otherwise (if you used JavaScript) the private key could be obtained from the JavaScript code and used to decrypt the cookie. You would also have to work out whether the cookie you are receiving is from the original recipient, or whether it is a copy.

Since you have to do this server-side for it to work, you may as well use a session anyway. This is just like a cookie, except an ID is passed around instead of the actual data (the ID is used to look up the data on the server.) However it is still possible to copy the session cookie and make another computer appear to be logged in as the original one, and this is what FireSheep does.

You should not put authentication information into the cookie itself. When setting the cookie you should make a session, tied to some persistent storage (sql/nosql).

This is basically some unique randomly generated ID that is matched with other information. The randomly generated ID is sent as the cookie. On successive requests you read the cookie, and try to get a user account from it.

You can place constraints on the session that it can only be accessed from the IP address that you assigned it to. You could also tie it to the user-agent (although this is security by obscurity, user-agents can be configured).