We use cookies to maintain some state information about a users session.
They are not file based due to the fact that we don't specify a expiration
date. They go away when the session ends. I know it's possible to modify a
file based cookie. However, what would it take for a hacker that did not
have access to our web server to modify the value of a ram based client
cookie that we're creating below? I'm not concerned about someone reading
what is in the cookie - I'm nervous about them being able to modify the
cookie value.
Thanks in advance.
Mark
HttpCookie ckCookie = Request.Cookies[strCookieName];
if (ckCookie == null)
{
ckCookie = new HttpCookie(strC ookieName, strCookieValue) ;
Response.Cookie s.Add(ckCookie) ;
}
else
{
Response.Cookie s[strCookieName].Value = strCookieValue;
}
11  1187 
I would never assume it cannot be edit, cookie are sent in the HTTP headers
so you could intercept this and change the values.
You could HASH the cookie.
Steve
Steve
"Mark" <fi******@idono tlikejunkmail.u mn.edu> wrote in message
news:ec******** *****@tk2msftng p13.phx.gbl... We use cookies to maintain some state information about a users session.
They are not file based due to the fact that we don't specify a expiration
date. They go away when the session ends. I know it's possible to modify
a file based cookie. However, what would it take for a hacker that did not
have access to our web server to modify the value of a ram based client
cookie that we're creating below? I'm not concerned about someone reading
what is in the cookie - I'm nervous about them being able to modify the
cookie value.
Thanks in advance.
Mark
HttpCookie ckCookie = Request.Cookies[strCookieName];
if (ckCookie == null)
{
ckCookie = new HttpCookie(strC ookieName, strCookieValue) ;
Response.Cookie s.Add(ckCookie) ;
}
else
{
Response.Cookie s[strCookieName].Value = strCookieValue;
}
Great idea. A quick code sample, or pseduo code for both hashing and
unhashing would be deeply appreciated.
Mark
"Steve Drake" <St***@NOSPAMDr akey.co.uk> wrote in message
news:Om******** ******@tk2msftn gp13.phx.gbl... I would never assume it cannot be edit, cookie are sent in the HTTP
headers so you could intercept this and change the values.
You could HASH the cookie.
Steve
Steve
"Mark" <fi******@idono tlikejunkmail.u mn.edu> wrote in message
news:ec******** *****@tk2msftng p13.phx.gbl... We use cookies to maintain some state information about a users session.
They are not file based due to the fact that we don't specify a
expiration date. They go away when the session ends. I know it's possible to
modify a file based cookie. However, what would it take for a hacker that did
not have access to our web server to modify the value of a ram based client
cookie that we're creating below? I'm not concerned about someone
reading what is in the cookie - I'm nervous about them being able to modify the
cookie value.
Thanks in advance.
Mark
HttpCookie ckCookie = Request.Cookies[strCookieName];
if (ckCookie == null)
{
ckCookie = new HttpCookie(strC ookieName, strCookieValue) ;
Response.Cookie s.Add(ckCookie) ;
}
else
{
Response.Cookie s[strCookieName].Value = strCookieValue;
}
Safe enough AFAIK. Of course you could always take an hexadecimal memory
editor, locate the cookie somewhere in memory and change its value but it's
probably beyond most people even hackers skills.
You could also just avoid storing things that you seems to consider as
"secret" client side (for example you could store a "handle" to this info,
if the "handle" is changed, there is no info anyway on the other side - this
is basically what session variables are ? Can't you use this ?).
Patrice
"Mark" <fi******@idono tlikejunkmail.u mn.edu> a écrit dans le message de
news:ec******** *****@tk2msftng p13.phx.gbl... We use cookies to maintain some state information about a users session.
They are not file based due to the fact that we don't specify a expiration
date. They go away when the session ends. I know it's possible to modify
a file based cookie. However, what would it take for a hacker that did not
have access to our web server to modify the value of a ram based client
cookie that we're creating below? I'm not concerned about someone reading
what is in the cookie - I'm nervous about them being able to modify the
cookie value.
Thanks in advance.
Mark
HttpCookie ckCookie = Request.Cookies[strCookieName];
if (ckCookie == null)
{
ckCookie = new HttpCookie(strC ookieName, strCookieValue) ;
Response.Cookie s.Add(ckCookie) ;
}
else
{
Response.Cookie s[strCookieName].Value = strCookieValue;
}
Another solution is to use SSL.
--
Peter O'Reilly
Ah, good point. Let's assume I'm using SSL. What would it take for an
authenticated user sitting at their client browser to modify their clear
text ram based cookie values?
Thanks again.
Mark
"Peter O'Reilly" <Pe***********@ timeinc.com!N!O !.S!P!AM!> wrote in message
news:uh******** ******@TK2MSFTN GP11.phx.gbl... Another solution is to use SSL.
--
Peter O'Reilly
You create a NEW cookie, base it on the vals from your non editable cookie,
this new cookie is a sort of encrypted version of the non editable cookie,
in your server code, you REGEN this cookie from the non editable value, if
it doesent match, you asume the cookie has change.
This is sort of like a checksum.
I dont have a code sample, yet, but I do need todo this sort of thing soon.
Steve
you create a hash some sort of hash with some user info + the cookie name +
the cookie valiue
"Mark" <fi******@idono tlikejunkmail.u mn.edu> wrote in message
news:#b******** *****@TK2MSFTNG P10.phx.gbl... Great idea. A quick code sample, or pseduo code for both hashing and
unhashing would be deeply appreciated.
Mark
"Steve Drake" <St***@NOSPAMDr akey.co.uk> wrote in message
news:Om******** ******@tk2msftn gp13.phx.gbl... I would never assume it cannot be edit, cookie are sent in the HTTP
headers so you could intercept this and change the values.
You could HASH the cookie.
Steve
Steve
"Mark" <fi******@idono tlikejunkmail.u mn.edu> wrote in message
news:ec******** *****@tk2msftng p13.phx.gbl... We use cookies to maintain some state information about a users
session. They are not file based due to the fact that we don't specify a expiration date. They go away when the session ends. I know it's possible to modify a file based cookie. However, what would it take for a hacker that did
not have access to our web server to modify the value of a ram based
client cookie that we're creating below? I'm not concerned about someone reading what is in the cookie - I'm nervous about them being able to modify
the cookie value.
Thanks in advance.
Mark
HttpCookie ckCookie = Request.Cookies[strCookieName];
if (ckCookie == null)
{
ckCookie = new HttpCookie(strC ookieName, strCookieValue) ;
Response.Cookie s.Add(ckCookie) ;
}
else
{
Response.Cookie s[strCookieName].Value = strCookieValue;
}
ssl prevents hijacking (some other user see the data and pretending to be
them). ssl will in noway hinder the user hacking his own cookie. as client
script can access the cookie, a user can modify his cookie with a little
typing in the address bar (any browser), or if they can turn on a javascipt
console, its even easier.
-- bruce (sqlwork.com)
"Mark" <fi******@idono tlikejunkmail.u mn.edu> wrote in message
news:OO******** ******@TK2MSFTN GP09.phx.gbl... Ah, good point. Let's assume I'm using SSL. What would it take for an
authenticated user sitting at their client browser to modify their clear
text ram based cookie values?
Thanks again.
Mark
"Peter O'Reilly" <Pe***********@ timeinc.com!N!O !.S!P!AM!> wrote in message
news:uh******** ******@TK2MSFTN GP11.phx.gbl... Another solution is to use SSL.
--
Peter O'Reilly
Thanks Steve.
Correct me if I'm wrong but this essentially requires both the client and
the server to maintain this "value" that I'm passing in the cookie. To
regenerate the value on the server, and then compare it to the client
cookie, that means the server has to have a clue. :)
In my scenario, the whole point of passing the cookie is that I don't want
the server (session or otherwise) to have to regenerate the value. The
cookie maintains this information so the server doesn't have to.
Am I misreading your suggestion? Thanks again.
Mark
"Steve Drake" <St***@NOSPAMDr akey.co.uk> wrote in message
news:u3******** ******@TK2MSFTN GP11.phx.gbl... You create a NEW cookie, base it on the vals from your non editable
cookie, this new cookie is a sort of encrypted version of the non editable cookie,
in your server code, you REGEN this cookie from the non editable value, if
it doesent match, you asume the cookie has change.
This is sort of like a checksum.
I dont have a code sample, yet, but I do need todo this sort of thing
soon.
Steve
you create a hash some sort of hash with some user info + the cookie name
+ the cookie valiue
"Mark" <fi******@idono tlikejunkmail.u mn.edu> wrote in message
news:#b******** *****@TK2MSFTNG P10.phx.gbl... Great idea. A quick code sample, or pseduo code for both hashing and
unhashing would be deeply appreciated.
Mark
"Steve Drake" <St***@NOSPAMDr akey.co.uk> wrote in message
news:Om******** ******@tk2msftn gp13.phx.gbl... I would never assume it cannot be edit, cookie are sent in the HTTP
headers so you could intercept this and change the values.
You could HASH the cookie.
Steve
Steve
"Mark" <fi******@idono tlikejunkmail.u mn.edu> wrote in message
news:ec******** *****@tk2msftng p13.phx.gbl...
> We use cookies to maintain some state information about a users session. > They are not file based due to the fact that we don't specify a
expiration > date. They go away when the session ends. I know it's possible to
modify a
> file based cookie. However, what would it take for a hacker that
did not > have access to our web server to modify the value of a ram based
client > cookie that we're creating below? I'm not concerned about someone
reading > what is in the cookie - I'm nervous about them being able to modify the > cookie value.
>
> Thanks in advance.
> Mark
>
> HttpCookie ckCookie = Request.Cookies[strCookieName];
> if (ckCookie == null)
> {
> ckCookie = new HttpCookie(strC ookieName, strCookieValue) ;
> Response.Cookie s.Add(ckCookie) ;
> }
> else
> {
> Response.Cookie s[strCookieName].Value = strCookieValue;
> }
>
>
"Mark" <fi******@idono tlikejunkmail.u mn.edu> wrote in message
news:OO******** ******@TK2MSFTN GP09.phx.gbl... Ah, good point. Let's assume I'm using SSL. What would it take for an
authenticated user sitting at their client browser to modify their clear
text ram based cookie values?
Your original message mentioned worries of a hacker. Your example above
notes
an authenticated user. The way I see it, how the hacker managed to get past
authentication is the greater risk
and concern.
In other words, if the person authenticated is really the person intended to
use the application, I do not see how any of what is contained in their
cookie would be alarming as they are undoubtedly aware of their own social
security number, credit card number, application settings selected or
inputted, etc.
Encrypted or not, keep in mind though that the user may see what cookie is
being set, even if it's a session (memory resident) cookie, using such
browsers as Mozilla and having such cookie alert setting turned on.
If such security is really paramount, I would create a cookie containing an
encrypted id that points to the user's session information contained on the
server such as a database. This plus implementing SSL is about as stealth
as one can imagine.
--
Peter O'Reilly This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics | |
by: deko |
last post by:
I have a page that I don't want anyone to be able to link directly to. The
page should only be accessed from gatepage.php. I tried this code, but keep
getting errors - "header info already sent", or something like that... Am I
missing something, or is there a better way to do this?
<?php
$ref = $_SERVER;
//echo $ref;
if ( $ref == 'http://www.mydomain.com/gatepage.php' )
{
|
by: Brian Burgess |
last post by:
Hi all,
Anyone know of any special issues with storing cookies with ASP? I'm
trying this with two browsers: One is IE 6.0 with cookies set to
'prompt'. This has been working properly as any new site I goto seems
to prompt me to store their cookie. The other is Pocket IE on Pocket
PC 2002, with the cookies set to 'enabled'.
My problem is that the cookies dont seem to be being written with my
ASP. I dont get the prompt to store...
|
by: Brian Burgess |
last post by:
Hi all,
Anyone know if this is possible? If so, on which page would the
cookie be? .. On the page calling a function defined in the include
file?
thanks in advance..
-BB
|
by: Mark |
last post by:
Hi...
I've come across some weird bug with Response.Cookies. Or maybe it will be
called "by design" but for the life of me I can't figure out what purpose it
would serve. If you're setting a cookie (say Response.Cookies ("TEST")) and
you have a query string variable &test=x or &Test=x and you get
Request.QueryString to parse the query string, the cookie that gets dropped
matches the case of the query string, not what your code says. ...
|
by: Stephane |
last post by:
Hi,
I have a login page where if the user wants his access codes to be saved are
set into a cookie. In the logout page, I want to delete those cookies. I
tried this and this is not working at all:
if (Request.Cookies != null
&& Request.Cookies != null)
{
Response.Cookies.Value = null;
| | |
by: Archer |
last post by:
I was making a role-based authentication but it does't login with
correct password.
the HttpContext.Current.User recieved in Global.asax is always null.
Request.IsAuthenticated is always false.
in the cs files, i write the code below
protected void SubmitBtn_Click(Object sender, EventArgs e)
{
|
by: Mark |
last post by:
It's my understanding that there are two types of cookies that can be
created in an ASP.NET web application:
1. File based cookies that persist on the hard drive
2. RAM based cookies
If a client browser has cookies disabled, are both disabled, or do RAM based
cookies still work?
Thanks in advance.
|
by: schwooba |
last post by:
Hello...I have an html form with radio and select controls that I want
to email to a user but can't quite grasp the way I should set this up.
If someone selects "a" and "milk" I want it to email abc. If they
select "a" and "cookies" it should go to xyz. Any help would be
appreciated.
input type="radio" name="type" value="a"
input type="radio" name="type" value="b"
input type="radio" name="type" value="c"
|
by: davidkoree |
last post by:
I mean not about cookie.
Does it have something to do with operating system or browser plugin?
I appreciate any help.
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look !
Part I. Meaning of...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it.
First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
| | |
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed.
This is as boiled down as I can make it.
Here is my compilation command:
g++-12 -std=c++20 -Wnarrowing bit_field.cpp
Here is the code in...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one.
At the time of converting from word file to html my equations which are in the word document file was convert into image.
Globals.ThisAddIn.Application.ActiveDocument.Select();...
|
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols.
I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
|
by: adsilva |
last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
|
by: 6302768590 |
last post by:
Hai team
i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
|
by: muto222 |
last post by:
How can i add a mobile payment intergratation into php mysql website.
| | |
by: bsmnconsultancy |
last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...
| |
