473,804 Members | 3,113 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

Ram based Cookies

We use cookies to maintain some state information about a users session.
They are not file based due to the fact that we don't specify a expiration
date. They go away when the session ends. I know it's possible to modify a
file based cookie. However, what would it take for a hacker that did not
have access to our web server to modify the value of a ram based client
cookie that we're creating below? I'm not concerned about someone reading
what is in the cookie - I'm nervous about them being able to modify the
cookie value.

Thanks in advance.
Mark

HttpCookie ckCookie = Request.Cookies[strCookieName];
if (ckCookie == null)
{
ckCookie = new HttpCookie(strC ookieName, strCookieValue) ;
Response.Cookie s.Add(ckCookie) ;
}
else
{
Response.Cookie s[strCookieName].Value = strCookieValue;
}
Nov 18 '05
11 1188
No, the value isn't need on the server, the server just holds the hashing
code, you take the value and the hash sent to the sever, recreate the hash
from the value sent if you get the same result as the hashed one.

Your cookie sent from the server to the client could be :

My Non Editable thing = "SomeValue"
My Encrypted Value = "eulaVemos"

When the cookies get sent back to the server, you take "Some Value", run you
ENC code, it produces "eulaVemos" so the cookie has not been tampered, if
.... you get

My Non Editable thing = "WrongValue "
My Encrypted Value = "eulaVemos"

The server would create eulaVgnorW and compare it to eulaVemos so it would
know its been tampered.

You could get more intelligent by rotating a key that you use to encrypted
on each requested for that user.

I recon, this code could be added to the global asa to work with ALL
cookies.

Steve
"Mark" <fi******@idono tlikejunkmail.u mn.edu> wrote in message
news:#e******** *****@tk2msftng p13.phx.gbl...
Thanks Steve.

Correct me if I'm wrong but this essentially requires both the client and
the server to maintain this "value" that I'm passing in the cookie. To
regenerate the value on the server, and then compare it to the client
cookie, that means the server has to have a clue. :)

In my scenario, the whole point of passing the cookie is that I don't want
the server (session or otherwise) to have to regenerate the value. The
cookie maintains this information so the server doesn't have to.

Am I misreading your suggestion? Thanks again.

Mark
"Steve Drake" <St***@NOSPAMDr akey.co.uk> wrote in message
news:u3******** ******@TK2MSFTN GP11.phx.gbl...
You create a NEW cookie, base it on the vals from your non editable cookie,
this new cookie is a sort of encrypted version of the non editable cookie,
in your server code, you REGEN this cookie from the non editable value, if it doesent match, you asume the cookie has change.

This is sort of like a checksum.

I dont have a code sample, yet, but I do need todo this sort of thing

soon.


Steve

you create a hash some sort of hash with some user info + the cookie name +
the cookie valiue
"Mark" <fi******@idono tlikejunkmail.u mn.edu> wrote in message
news:#b******** *****@TK2MSFTNG P10.phx.gbl...
Great idea. A quick code sample, or pseduo code for both hashing and
unhashing would be deeply appreciated.

Mark

"Steve Drake" <St***@NOSPAMDr akey.co.uk> wrote in message
news:Om******** ******@tk2msftn gp13.phx.gbl...
> I would never assume it cannot be edit, cookie are sent in the HTTP
headers
> so you could intercept this and change the values.
>
> You could HASH the cookie.
>
> Steve
>
> Steve
> "Mark" <fi******@idono tlikejunkmail.u mn.edu> wrote in message
> news:ec******** *****@tk2msftng p13.phx.gbl...
> > We use cookies to maintain some state information about a users

session.
> > They are not file based due to the fact that we don't specify a
expiration
> > date. They go away when the session ends. I know it's possible to modify
> a
> > file based cookie. However, what would it take for a hacker that

did not
> > have access to our web server to modify the value of a ram based

client
> > cookie that we're creating below? I'm not concerned about someone
reading
> > what is in the cookie - I'm nervous about them being able to

modify the
> > cookie value.
> >
> > Thanks in advance.
> > Mark
> >
> > HttpCookie ckCookie = Request.Cookies[strCookieName];
> > if (ckCookie == null)
> > {
> > ckCookie = new HttpCookie(strC ookieName, strCookieValue) ;
> > Response.Cookie s.Add(ckCookie) ;
> > }
> > else
> > {
> > Response.Cookie s[strCookieName].Value = strCookieValue;
> > }
> >
> >
>
>



Nov 18 '05 #11
It sounds from the discussion that you are concerned about your legitimate
users trying to do things they shouldn't (I'm guessing privilege elevation
or similar). If that is the case, the only thing you should store in the
cookie is information that is known only to that user.

For example, don't store a user ID only because that would allow an
up-to-no-good user to simply change the ID to become a different person,
possibly with elevated permissions. Instead, keep the ID and password in the
cookie and verify it when the user attempts to perform an action.

It may be more expensive in terms of computing resources and programming
effort, but all security is coming up with the best balance between the cost
of the security and the value of what is being protected. Bruce Schneier has
a good essay on the topic at
http://www.schneier.com/crypto-gram-0403.html#11.

My suggestion would be to not put anything in the cookie that would provide
a nefarious user with an easy way to guess, and have some way of detecting
attacks. e.g. if some user is attempting to guess user IDs, in the worst
case they change their user ID to '0' and become administrator. If you
decide to play a trick and change the admin ID to some random number, you've
made it difficult (not impossible) to guess, but unless you have some way of
detecting attempts to change the user ID (i.e. a password and validation
routine), you will have no idea that somebody is trying to crack your
security and they can take as long as they want attempting to guess.

Colin

"Mark" <fi******@idono tlikejunkmail.u mn.edu> wrote in message
news:ec******** *****@tk2msftng p13.phx.gbl...
We use cookies to maintain some state information about a users session.
They are not file based due to the fact that we don't specify a expiration
date. They go away when the session ends. I know it's possible to modify a file based cookie. However, what would it take for a hacker that did not
have access to our web server to modify the value of a ram based client
cookie that we're creating below? I'm not concerned about someone reading
what is in the cookie - I'm nervous about them being able to modify the
cookie value.

Thanks in advance.
Mark

HttpCookie ckCookie = Request.Cookies[strCookieName];
if (ckCookie == null)
{
ckCookie = new HttpCookie(strC ookieName, strCookieValue) ;
Response.Cookie s.Add(ckCookie) ;
}
else
{
Response.Cookie s[strCookieName].Value = strCookieValue;
}

Nov 18 '05 #12

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics
9
28688
How to redirect based on $_SERVER["HTTP_REFERER"]?
by: deko | last post by:
I have a page that I don't want anyone to be able to link directly to. The page should only be accessed from gatepage.php. I tried this code, but keep getting errors - "header info already sent", or something like that... Am I missing something, or is there a better way to do this? <?php $ref = $_SERVER; //echo $ref; if ( $ref == 'http://www.mydomain.com/gatepage.php' ) {
PHP
4
3887
Storing Cookies
by: Brian Burgess | last post by:
Hi all, Anyone know of any special issues with storing cookies with ASP? I'm trying this with two browsers: One is IE 6.0 with cookies set to 'prompt'. This has been working properly as any new site I goto seems to prompt me to store their cookie. The other is Pocket IE on Pocket PC 2002, with the cookies set to 'enabled'. My problem is that the cookies dont seem to be being written with my ASP. I dont get the prompt to store...
ASP / Active Server Pages
20
3562
Writing cookies from include file
by: Brian Burgess | last post by:
Hi all, Anyone know if this is possible? If so, on which page would the cookie be? .. On the page calling a function defined in the include file? thanks in advance.. -BB
ASP / Active Server Pages
6
3062
Response.Cookies bug
by: Mark | last post by:
Hi... I've come across some weird bug with Response.Cookies. Or maybe it will be called "by design" but for the life of me I can't figure out what purpose it would serve. If you're setting a cookie (say Response.Cookies ("TEST")) and you have a query string variable &test=x or &Test=x and you get Request.QueryString to parse the query string, the cookie that gets dropped matches the case of the query string, not what your code says. ...
ASP / Active Server Pages
6
8854
Can't remove cookies!
by: Stephane | last post by:
Hi, I have a login page where if the user wants his access codes to be saved are set into a cookie. In the logout page, I want to delete those cookies. I tried this and this is not working at all: if (Request.Cookies != null && Request.Cookies != null) { Response.Cookies.Value = null;
ASP.NET
5
1940
Strange Role-Based authentication problem!
by: Archer | last post by:
I was making a role-based authentication but it does't login with correct password. the HttpContext.Current.User recieved in Global.asax is always null. Request.IsAuthenticated is always false. in the cs files, i write the code below protected void SubmitBtn_Click(Object sender, EventArgs e) {
ASP.NET
1
240
RAM based cookies
by: Mark | last post by:
It's my understanding that there are two types of cookies that can be created in an ASP.NET web application: 1. File based cookies that persist on the hard drive 2. RAM based cookies If a client browser has cookies disabled, are both disabled, or do RAM based cookies still work? Thanks in advance.
ASP.NET
1
1371
email person based on radio and select selections
by: schwooba | last post by:
Hello...I have an html form with radio and select controls that I want to email to a user but can't quite grasp the way I should set this up. If someone selects "a" and "milk" I want it to email abc. If they select "a" and "cookies" it should go to xyz. Any help would be appreciated. input type="radio" name="type" value="a" input type="radio" name="type" value="b" input type="radio" name="type" value="c"
PHP
43
3440
why a session-based program behaves different on different computers
by: davidkoree | last post by:
I mean not about cookie. Does it have something to do with operating system or browser plugin? I appreciate any help.
PHP
0
9706
marktang
What is ONU?
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look ! Part I. Meaning of...
General
0
10332
jinu1996
Maximizing Business Potential: The Nexus of Website Design and Digital Marketing
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth. The Art of Business Website Design Your website is...
Online Marketing
1
10321
The easy way to turn off automatic updates for Windows 10/11
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
Windows Server
0
10077
tracyyun
Discussion: How does Zigbee compare with other wireless protocols in smart home applications?
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
General
1
7620
isladogs
Access Europe - Using VBA to create a class based on a table - Wed 1 May
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules. He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms. Adolph will...
Microsoft Access / VBA
0
6853
Couldn’t get equations in html when convert word .docx file to html file in C#.
by: conductexam | last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one. At the time of converting from word file to html my equations which are in the word document file was convert into image. Globals.ThisAddIn.Application.ActiveDocument.Select();...
C# / C Sharp
0
5522
Trying to create a lan-to-lan vpn between two differents networks
by: TSSRALBI | last post by:
Hello I'm a network technician in training and I need your help. I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs. The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols. I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
Networking - Hardware / Configuration
0
5651
Windows Forms - .Net 8.0
by: adsilva | last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
Visual Basic .NET
2
3820
muto222
How to add payments to a PHP MySQL app.
by: muto222 | last post by:
How can i add a mobile payment intergratation into php mysql website.
PHP

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes
How to Post and Respond on Bytes
How to Promote and Link on Bytes
How to increase your Ranking on Bytes
Become a Recognized Expert on Bytes
Feedback Welcomed! Contact Us