Cookie Security

[lilboi]

Hi guys!

I'm trying to create a login required website right now. I also need to use cookies instead of Session as well.

I made it so that the cookies will hold the unique ID and the user's name.

Response.Cookies("vccc.com")("rid") = rid
		Response.Cookies("vccc.com")("opName") = opName
		Response.Cookies("vccc.com").expires = Date() + 1

The other pages will then check if the cookie exists and then pulls out the rid and use that to pull out information regarding the user in the database.

My question is...what stops other people from creating that same cookie with vccc.com and putting any random rid in there and be able to access a random person's account?

What can I do to secure this? Should I create a Session ID # and put it in the cookie and put a copy in the table and see if it matches?

Thanka mery much.

 

[Tarwn]

When the browser creates a cookie it is required to create it unqiely for whatever domain it happens to be on. So if it is receiving a response from

http://www.lilboi.com

then that cookie will only be made available to

http://www.lilboi.com.

Even if I had my website parked on

http://www2.lilboi.com,

i would not be able to access the original cookie. this is why it is important to try and use relative links all throughout your website. I have seen more then one post about missing cookies and generally it turns out that someone created a cookie from

http://www.whatever.com/mypage.asp

but after their user followed a link to

http://whatever.com/mypage.asp

the cookie is not available.

So the quick answer is, if someone else creates a cookie with vccc.com, then the end user will now have two cookies like that

-T

 

[lilboi]

Thanks Tarwn for the insight.

My thoughts were different tho. It's more of a security reason. Taking what you have explained, let me try to give an example.

User A has an account in

http://www.lilboi.com.

In his cookies, the ID = 3. Lets say he logs in and has a cookie created.
Now what's stopping him from editing the cookie he has and change ID = 2. From there, whenever the server reads the cookie, it now things it's User B and no longer User A. Both User A & B login through

http://www.lilboi.com

as well.

Is that possible? Account hack through cookies?

 

[Tarwn]

Definitely possible and one of the pitfalls of cookies. If your concerned about it, you have the option of using Session variables instead. While Session variables are stored directly in RAM and will slow your entire server down if you put too much in them with too many people active, storing just some numbers or strings isn't too bad.
Advantage: values are not accessible to user
Disadvantage: there is still a cookie written to the user to hold the server-generated SessionId value, but this should still be less chancy then directly storing an ID

-T

 

[lilboi]

i don't want to use Session becuz i'm expecting a lot of logins and don't want to put a load on our....already prehistoric webserver. hehe

But thanks so much. I think I'll implement what my idea is above and will be using Session(ID) for a few seconds just to get a unique ID out of it and then abondon it right away.

Thanks again!

 

[Sheco]

Think about the expiration date of the cookie and the security implications of a user at a public web terminal.