cookie encryption/security

I'm currently making a web app that stores a user id in a cookie, and builds
user information off of that in the differnt pages of the site. The cookie is
created on login, and is separate from the authentication cookie. Are there
dangers to doing this? How easily can a cookie be tampered with? Is there any
fast setups, or things I can do for securing the cookie? I'm thinking someone
could tamper with the user id portion of the cookie and get someone else's
info.

I'm using a web farm environment, so I can't use other methods (like
session). Cookies seem to be the best way, but I wanted to know the dangers
and possible ways to prevent them.

Thanks.

re: cookie encryption/security

gl wrote:[color=blue]
> I'm currently making a web app that stores a user id in a cookie, and builds
> user information off of that in the differnt pages of the site. The cookie is
> created on login, and is separate from the authentication cookie. Are there
> dangers to doing this? How easily can a cookie be tampered with? Is there any
> fast setups, or things I can do for securing the cookie? I'm thinking someone
> could tamper with the user id portion of the cookie and get someone else's
> info.
>
> I'm using a web farm environment, so I can't use other methods (like
> session). Cookies seem to be the best way, but I wanted to know the dangers
> and possible ways to prevent them.
>
> Thanks.[/color]

If you are using a web farm you can still use session you will only need
to persist the session in SQL server or State Server instead of
InProc. (This has to be set in web.config)

If you finally decide to insert a cookie ... There is a possibility that
someone could steal the cookie (or tamper one) so what you can do is to
store in your servers other information about your client (like the Ip
and browser configuration) This way the malicious user will have to
tamper the IP apart from the cookie, this doesn't eliminate all the risk
but at least it will be much harder.

This article implements that solution with an HTTPModule, but if you
don't want that you can simply insert the code in the asp.net pages.

http://msdn.microsoft.com/msdnmag/is...08/WickedCode/


--
Regards,
David Hernández DÃ*ez
MCDBA MCSD vs6 & .NET
DCE5 .Net1.1 & DCE2 .NET 2.0

re: cookie encryption/security

Actually, you can use session state across web farms. You can have
session state backed by SQL Server or ASP Session server. Either one will
do this for you. However, the web servers in the farm have to all be set up
the proper way. The following knowledge base article goes into more detail:

http://support.microsoft.com/default...B;EN-US;325056

I would recommend using this, since in essence, any attempt to do this
will result in pretty much reinventing the wheel.

As for cookie hijacking, that's a tough one. The following article from
MSDN magazine should help:

http://msdn.microsoft.com/msdnmag/is...08/WickedCode/

Even though it talks about the session id, it can be applied in a
general sense to any cookie information.

Hope this helps.


--
- Nicholas Paldino [.NET/C# MVP]
- mvp@spam.guard.caspershouse.com

"gl" <gl@discussions.microsoft.com> wrote in message
news:5FFAA939-0892-4BBD-A73D-1FB657E89E6B@microsoft.com...[color=blue]
> I'm currently making a web app that stores a user id in a cookie, and
> builds
> user information off of that in the differnt pages of the site. The cookie
> is
> created on login, and is separate from the authentication cookie. Are
> there
> dangers to doing this? How easily can a cookie be tampered with? Is there
> any
> fast setups, or things I can do for securing the cookie? I'm thinking
> someone
> could tamper with the user id portion of the cookie and get someone else's
> info.
>
> I'm using a web farm environment, so I can't use other methods (like
> session). Cookies seem to be the best way, but I wanted to know the
> dangers
> and possible ways to prevent them.
>
> Thanks.[/color]

re: cookie encryption/security

Does ssl guard against cookie hijacking or altering?

"Nicholas Paldino [.NET/C# MVP]" wrote:
[color=blue]
> Actually, you can use session state across web farms. You can have
> session state backed by SQL Server or ASP Session server. Either one will
> do this for you. However, the web servers in the farm have to all be set up
> the proper way. The following knowledge base article goes into more detail:
>
> http://support.microsoft.com/default...B;EN-US;325056
>
> I would recommend using this, since in essence, any attempt to do this
> will result in pretty much reinventing the wheel.
>
> As for cookie hijacking, that's a tough one. The following article from
> MSDN magazine should help:
>
> http://msdn.microsoft.com/msdnmag/is...08/WickedCode/
>
> Even though it talks about the session id, it can be applied in a
> general sense to any cookie information.
>
> Hope this helps.
>
>
> --
> - Nicholas Paldino [.NET/C# MVP]
> - mvp@spam.guard.caspershouse.com
>
> "gl" <gl@discussions.microsoft.com> wrote in message
> news:5FFAA939-0892-4BBD-A73D-1FB657E89E6B@microsoft.com...[color=green]
> > I'm currently making a web app that stores a user id in a cookie, and
> > builds
> > user information off of that in the differnt pages of the site. The cookie
> > is
> > created on login, and is separate from the authentication cookie. Are
> > there
> > dangers to doing this? How easily can a cookie be tampered with? Is there
> > any
> > fast setups, or things I can do for securing the cookie? I'm thinking
> > someone
> > could tamper with the user id portion of the cookie and get someone else's
> > info.
> >
> > I'm using a web farm environment, so I can't use other methods (like
> > session). Cookies seem to be the best way, but I wanted to know the
> > dangers
> > and possible ways to prevent them.
> >
> > Thanks.[/color]
>
>
>[/color]

re: cookie encryption/security

Yes, it does.

--
- Nicholas Paldino [.NET/C# MVP]
- mvp@spam.guard.caspershouse.com

"gl" <gl@discussions.microsoft.com> wrote in message
news:1EF56B31-A638-42B8-8C1C-67AFF263609E@microsoft.com...[color=blue]
> Does ssl guard against cookie hijacking or altering?
>
> "Nicholas Paldino [.NET/C# MVP]" wrote:
>[color=green]
>> Actually, you can use session state across web farms. You can have
>> session state backed by SQL Server or ASP Session server. Either one
>> will
>> do this for you. However, the web servers in the farm have to all be set
>> up
>> the proper way. The following knowledge base article goes into more
>> detail:
>>
>> http://support.microsoft.com/default...B;EN-US;325056
>>
>> I would recommend using this, since in essence, any attempt to do
>> this
>> will result in pretty much reinventing the wheel.
>>
>> As for cookie hijacking, that's a tough one. The following article
>> from
>> MSDN magazine should help:
>>
>> http://msdn.microsoft.com/msdnmag/is...08/WickedCode/
>>
>> Even though it talks about the session id, it can be applied in a
>> general sense to any cookie information.
>>
>> Hope this helps.
>>
>>
>> --
>> - Nicholas Paldino [.NET/C# MVP]
>> - mvp@spam.guard.caspershouse.com
>>
>> "gl" <gl@discussions.microsoft.com> wrote in message
>> news:5FFAA939-0892-4BBD-A73D-1FB657E89E6B@microsoft.com...[color=darkred]
>> > I'm currently making a web app that stores a user id in a cookie, and
>> > builds
>> > user information off of that in the differnt pages of the site. The
>> > cookie
>> > is
>> > created on login, and is separate from the authentication cookie. Are
>> > there
>> > dangers to doing this? How easily can a cookie be tampered with? Is
>> > there
>> > any
>> > fast setups, or things I can do for securing the cookie? I'm thinking
>> > someone
>> > could tamper with the user id portion of the cookie and get someone
>> > else's
>> > info.
>> >
>> > I'm using a web farm environment, so I can't use other methods (like
>> > session). Cookies seem to be the best way, but I wanted to know the
>> > dangers
>> > and possible ways to prevent them.
>> >
>> > Thanks.[/color]
>>
>>
>>[/color][/color]