It sounds from the discussion that you are concerned about your legitimate
users trying to do things they shouldn't (I'm guessing privilege elevation
or similar). If that is the case, the only thing you should store in the
cookie is information that is known only to that user.
For example, don't store a user ID only because that would allow an
up-to-no-good user to simply change the ID to become a different person,
possibly with elevated permissions. Instead, keep the ID and password in the
cookie and verify it when the user attempts to perform an action.
It may be more expensive in terms of computing resources and programming
effort, but all security is coming up with the best balance between the cost
of the security and the value of what is being protected. Bruce Schneier has
a good essay on the topic at
http://www.schneier.com/crypto-gram-0403.html#11.
My suggestion would be to not put anything in the cookie that would provide
a nefarious user with an easy way to guess, and have some way of detecting
attacks. e.g. if some user is attempting to guess user IDs, in the worst
case they change their user ID to '0' and become administrator. If you
decide to play a trick and change the admin ID to some random number, you've
made it difficult (not impossible) to guess, but unless you have some way of
detecting attempts to change the user ID (i.e. a password and validation
routine), you will have no idea that somebody is trying to crack your
security and they can take as long as they want attempting to guess.
Colin
"Mark" <fi******@idono tlikejunkmail.u mn.edu> wrote in message
news:ec******** *****@tk2msftng p13.phx.gbl...
We use cookies to maintain some state information about a users session.
They are not file based due to the fact that we don't specify a expiration
date. They go away when the session ends. I know it's possible to modify
a file based cookie. However, what would it take for a hacker that did not
have access to our web server to modify the value of a ram based client
cookie that we're creating below? I'm not concerned about someone reading
what is in the cookie - I'm nervous about them being able to modify the
cookie value.
Thanks in advance.
Mark
HttpCookie ckCookie = Request.Cookies[strCookieName];
if (ckCookie == null)
{
ckCookie = new HttpCookie(strC ookieName, strCookieValue) ;
Response.Cookie s.Add(ckCookie) ;
}
else
{
Response.Cookie s[strCookieName].Value = strCookieValue;
}