471,352 Members | 1,441 Online
Bytes | Software Development & Data Engineering Community
Post +

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 471,352 software developers and data experts.

cookie encryption/security

gl
I'm currently making a web app that stores a user id in a cookie, and builds
user information off of that in the differnt pages of the site. The cookie is
created on login, and is separate from the authentication cookie. Are there
dangers to doing this? How easily can a cookie be tampered with? Is there any
fast setups, or things I can do for securing the cookie? I'm thinking someone
could tamper with the user id portion of the cookie and get someone else's
info.

I'm using a web farm environment, so I can't use other methods (like
session). Cookies seem to be the best way, but I wanted to know the dangers
and possible ways to prevent them.

Thanks.
Jan 21 '06 #1
4 4025
gl wrote:
I'm currently making a web app that stores a user id in a cookie, and builds
user information off of that in the differnt pages of the site. The cookie is
created on login, and is separate from the authentication cookie. Are there
dangers to doing this? How easily can a cookie be tampered with? Is there any
fast setups, or things I can do for securing the cookie? I'm thinking someone
could tamper with the user id portion of the cookie and get someone else's
info.

I'm using a web farm environment, so I can't use other methods (like
session). Cookies seem to be the best way, but I wanted to know the dangers
and possible ways to prevent them.

Thanks.


If you are using a web farm you can still use session you will only need
to persist the session in SQL server or State Server instead of
InProc. (This has to be set in web.config)

If you finally decide to insert a cookie ... There is a possibility that
someone could steal the cookie (or tamper one) so what you can do is to
store in your servers other information about your client (like the Ip
and browser configuration) This way the malicious user will have to
tamper the IP apart from the cookie, this doesn't eliminate all the risk
but at least it will be much harder.

This article implements that solution with an HTTPModule, but if you
don't want that you can simply insert the code in the asp.net pages.

http://msdn.microsoft.com/msdnmag/is...08/WickedCode/
--
Regards,
David Hernández DÃ*ez
MCDBA MCSD vs6 & .NET
DCE5 .Net1.1 & DCE2 .NET 2.0
Jan 21 '06 #2
Actually, you can use session state across web farms. You can have
session state backed by SQL Server or ASP Session server. Either one will
do this for you. However, the web servers in the farm have to all be set up
the proper way. The following knowledge base article goes into more detail:

http://support.microsoft.com/default...B;EN-US;325056

I would recommend using this, since in essence, any attempt to do this
will result in pretty much reinventing the wheel.

As for cookie hijacking, that's a tough one. The following article from
MSDN magazine should help:

http://msdn.microsoft.com/msdnmag/is...08/WickedCode/

Even though it talks about the session id, it can be applied in a
general sense to any cookie information.

Hope this helps.
--
- Nicholas Paldino [.NET/C# MVP]
- mv*@spam.guard.caspershouse.com

"gl" <gl@discussions.microsoft.com> wrote in message
news:5F**********************************@microsof t.com...
I'm currently making a web app that stores a user id in a cookie, and
builds
user information off of that in the differnt pages of the site. The cookie
is
created on login, and is separate from the authentication cookie. Are
there
dangers to doing this? How easily can a cookie be tampered with? Is there
any
fast setups, or things I can do for securing the cookie? I'm thinking
someone
could tamper with the user id portion of the cookie and get someone else's
info.

I'm using a web farm environment, so I can't use other methods (like
session). Cookies seem to be the best way, but I wanted to know the
dangers
and possible ways to prevent them.

Thanks.

Jan 21 '06 #3
gl
Does ssl guard against cookie hijacking or altering?

"Nicholas Paldino [.NET/C# MVP]" wrote:
Actually, you can use session state across web farms. You can have
session state backed by SQL Server or ASP Session server. Either one will
do this for you. However, the web servers in the farm have to all be set up
the proper way. The following knowledge base article goes into more detail:

http://support.microsoft.com/default...B;EN-US;325056

I would recommend using this, since in essence, any attempt to do this
will result in pretty much reinventing the wheel.

As for cookie hijacking, that's a tough one. The following article from
MSDN magazine should help:

http://msdn.microsoft.com/msdnmag/is...08/WickedCode/

Even though it talks about the session id, it can be applied in a
general sense to any cookie information.

Hope this helps.
--
- Nicholas Paldino [.NET/C# MVP]
- mv*@spam.guard.caspershouse.com

"gl" <gl@discussions.microsoft.com> wrote in message
news:5F**********************************@microsof t.com...
I'm currently making a web app that stores a user id in a cookie, and
builds
user information off of that in the differnt pages of the site. The cookie
is
created on login, and is separate from the authentication cookie. Are
there
dangers to doing this? How easily can a cookie be tampered with? Is there
any
fast setups, or things I can do for securing the cookie? I'm thinking
someone
could tamper with the user id portion of the cookie and get someone else's
info.

I'm using a web farm environment, so I can't use other methods (like
session). Cookies seem to be the best way, but I wanted to know the
dangers
and possible ways to prevent them.

Thanks.


Jan 22 '06 #4
Yes, it does.

--
- Nicholas Paldino [.NET/C# MVP]
- mv*@spam.guard.caspershouse.com

"gl" <gl@discussions.microsoft.com> wrote in message
news:1E**********************************@microsof t.com...
Does ssl guard against cookie hijacking or altering?

"Nicholas Paldino [.NET/C# MVP]" wrote:
Actually, you can use session state across web farms. You can have
session state backed by SQL Server or ASP Session server. Either one
will
do this for you. However, the web servers in the farm have to all be set
up
the proper way. The following knowledge base article goes into more
detail:

http://support.microsoft.com/default...B;EN-US;325056

I would recommend using this, since in essence, any attempt to do
this
will result in pretty much reinventing the wheel.

As for cookie hijacking, that's a tough one. The following article
from
MSDN magazine should help:

http://msdn.microsoft.com/msdnmag/is...08/WickedCode/

Even though it talks about the session id, it can be applied in a
general sense to any cookie information.

Hope this helps.
--
- Nicholas Paldino [.NET/C# MVP]
- mv*@spam.guard.caspershouse.com

"gl" <gl@discussions.microsoft.com> wrote in message
news:5F**********************************@microsof t.com...
> I'm currently making a web app that stores a user id in a cookie, and
> builds
> user information off of that in the differnt pages of the site. The
> cookie
> is
> created on login, and is separate from the authentication cookie. Are
> there
> dangers to doing this? How easily can a cookie be tampered with? Is
> there
> any
> fast setups, or things I can do for securing the cookie? I'm thinking
> someone
> could tamper with the user id portion of the cookie and get someone
> else's
> info.
>
> I'm using a web farm environment, so I can't use other methods (like
> session). Cookies seem to be the best way, but I wanted to know the
> dangers
> and possible ways to prevent them.
>
> Thanks.


Jan 23 '06 #5

This discussion thread is closed

Replies have been disabled for this discussion.

Similar topics

2 posts views Thread by Reimar Bauer | last post: by
4 posts views Thread by Shabam | last post: by
6 posts views Thread by Mark | last post: by
1 post views Thread by Paul W | last post: by
4 posts views Thread by craigkenisston | last post: by
17 posts views Thread by Bruno | last post: by
2 posts views Thread by quintesv via DotNetMonster.com | last post: by
7 posts views Thread by Walter Sobchak | last post: by

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.