Cookies Security

Results 1 to 2 of 2

Thread: Cookies Security

  1. #1
    Kevin Algonquin Guest

    Default Cookies Security

    Currently I maintain user state through cookies. A user will log in with a username and password and I check this pair against the DB. If it is valid, I write a permanent cookie to the client&#039;s machine with their user_id (int from DB) and username. Then on subsequent trips to the site, I check for this cookie, and if it is there, they are assumed logged in as that user. On every page that depends on being logged in I check for this cookie to see if the client is a member.<BR><BR>My question is, is this a secure method of maintaining user state across my application? I&#039;ve had someone tell me they can log in as anyone else on my site. How is this possible? I&#039;m running Win 2000/ASP/iis5. Thanks for your help.

  2. #2
    Markkk Guest

    Default RE: Cookies Security

    No! It is not a Very Secure mehtod.....<BR><BR>All one needs is a valid "user_id" and "username", modify their cookie, and presto! They have just cracked your security; they have access to pages for "user_id" and "username". This is true especially if the "user_id" field is an Auto-Number field, and if the "username" field can be readily obtained/guessed.<BR><BR>Rather than setting the "user_id" or "username" in the cookie, I suggest that set a random 8 to 14 character key be used instead. This random character key would be temporarily stored in a database table along with the "user_id" and "username", as long as the user session was active. Of course, the ASPSessionID could be used instead.<BR><BR>An 8-character key can generate over 2.8 trillion different keys. The likilhood of an attacker guessing the proper key is much more unlikely than finding a "user_id" and "username" pair.<BR><BR>e.g.<BR><BR>2IDUROEK &nbsp; &nbsp; &nbsp; User_ID_1 &nbsp; &nbsp; &nbsp; John Doe<BR>DIW6J376 &nbsp; &nbsp; &NBSP; User_ID_2 &nbsp; &nbsp; &nbsp; John Smith<BR>7QPC860D &nbsp; &nbsp; &NBSP; User_ID_3 &nbsp; &nbsp; &nbsp; Mary Doe<BR>etc.<BR><BR>On every page, simply determine if the user has privilege to view the page by cross-referencing the 8-character random key with your databse info.<BR><BR>I hope this helps......<BR>

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts