Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations derfloh on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Cookie security

Status
Not open for further replies.
Crundy

Crundy

Programmer
Jul 20, 2001
305
GB
Hello,
Is it secure, after authenticating someone, to send them a session cookie containing their username which subsequent pages can then use to see if they have logged on or not, and who they are?

Could someone else just set a cookie with username="whoever" and set the domain to your domain, then just browse your protected pages? Is it possible for someone to trick your server into thinking that a cookie set elsewhere was set by your server? C:\DOS:>
C:\DOS:>RUN
RUN DOS RUN!!
 
Sort by date Sort by votes
Hi

For temporary access, use a standard Session variable instead of the cookie. This is secure because only your scripts can change the value, and the user never gets to see it. Derren
[The only person in the world to like Word]
 
Upvote 0 Downvote
See there is a lot of debate going on for Cookie.Because they occupy space on user machine and that way you are harming the privacy of the user.So if user wants to keep his browser cookie enabled,it is very much secure to trap that cookie and maintaining state with cookie.Even Tek-Tips.com does it !!
Cookies have 6 attributes(parameters)
name
value
expire
domain
secure
path

Good web sites always encrypt the cookie file so you can never decode that encryption and pretend to be someone.
So only the server who created the cookie can read that.
If you know the secreat behind the encryption,you can definately pretend to be what you are not !!(What they think of you and whom you are not) Rushi Shroff Rushi@emqube.com
"Life is beautiful."
 
Upvote 0 Downvote
Derren: Isn't a session variable just a session cookie anyway?

I thought that if you did not set an expiry date for a cookie, it isn't stored on the user's hard drive, and imitates a session variable (or is the same)? C:\DOS:>
C:\DOS:>RUN
RUN DOS RUN!!
 
Upvote 0 Downvote
I am sorry I am answering Derren's question.I am sorry for that derren.
Isn't a session variable just a session cookie anyway ??

Yes,it is a session cookie and it gets deleted immediately.
ANy how you will need a browser id (through a small per session cookie) to recognise the client !!

If you go to Tools/Internet Options/Secrity/Custom
you will find there are 2 checkboxes in cookie security area.
one for per session cookie and the other is for general cookie which is parmanently stored on your PC.

ANY other feedback is welcome..Much chewed issue .. Rushi Shroff Rushi@emqube.com
"Life is beautiful."
 
Upvote 0 Downvote
FYI: I found out that people using one of our other webservers within the same domain (e.g. XX.domain.com) can set a cookie with the domain set to "domain.com" which will then trick my ASP program on my server into thinking that they have logged on. Therefore they could imitate any user who uses my scripts.

I'm going to fix this by encrypting the value of the cookie using a key which I'll store in the registry to make it difficult to get to.

Thanks for your help. C:\DOS:>
C:\DOS:>RUN
RUN DOS RUN!!
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

PaulSc
  • Locked
  • Question
Some help please - asp/javascript security
Replies
2
Views
133
BigRed1212
BigRed1212
Papa Bear
  • Locked
  • Question
Space disappearing in Cookie 1
Replies
2
Views
70
Papa Bear
Papa Bear
mechro99
  • Locked
  • Question
Cookie management 1
Replies
1
Views
84
foxbox
foxbox
wvdba
  • Locked
  • Question
URL parms security issue?
Replies
9
Views
141
vicvirk
vicvirk
craigward
  • Locked
  • Question
Cookie Hell
Replies
3
Views
103
KirbyWallace
KirbyWallace

Part and Inventory Search

Sponsor

Back
Top