473,394 Members | 1,506 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,394 software developers and data experts.

cookie encryption/security

gl
I'm currently making a web app that stores a user id in a cookie, and builds
user information off of that in the differnt pages of the site. The cookie is
created on login, and is separate from the authentication cookie. Are there
dangers to doing this? How easily can a cookie be tampered with? Is there any
fast setups, or things I can do for securing the cookie? I'm thinking someone
could tamper with the user id portion of the cookie and get someone else's
info.

I'm using a web farm environment, so I can't use other methods (like
session). Cookies seem to be the best way, but I wanted to know the dangers
and possible ways to prevent them.

Thanks.
Jan 21 '06 #1
4 4142
gl wrote:
I'm currently making a web app that stores a user id in a cookie, and builds
user information off of that in the differnt pages of the site. The cookie is
created on login, and is separate from the authentication cookie. Are there
dangers to doing this? How easily can a cookie be tampered with? Is there any
fast setups, or things I can do for securing the cookie? I'm thinking someone
could tamper with the user id portion of the cookie and get someone else's
info.

I'm using a web farm environment, so I can't use other methods (like
session). Cookies seem to be the best way, but I wanted to know the dangers
and possible ways to prevent them.

Thanks.


If you are using a web farm you can still use session you will only need
to persist the session in SQL server or State Server instead of
InProc. (This has to be set in web.config)

If you finally decide to insert a cookie ... There is a possibility that
someone could steal the cookie (or tamper one) so what you can do is to
store in your servers other information about your client (like the Ip
and browser configuration) This way the malicious user will have to
tamper the IP apart from the cookie, this doesn't eliminate all the risk
but at least it will be much harder.

This article implements that solution with an HTTPModule, but if you
don't want that you can simply insert the code in the asp.net pages.

http://msdn.microsoft.com/msdnmag/is...08/WickedCode/
--
Regards,
David Hernández DÃ*ez
MCDBA MCSD vs6 & .NET
DCE5 .Net1.1 & DCE2 .NET 2.0
Jan 21 '06 #2
Actually, you can use session state across web farms. You can have
session state backed by SQL Server or ASP Session server. Either one will
do this for you. However, the web servers in the farm have to all be set up
the proper way. The following knowledge base article goes into more detail:

http://support.microsoft.com/default...B;EN-US;325056

I would recommend using this, since in essence, any attempt to do this
will result in pretty much reinventing the wheel.

As for cookie hijacking, that's a tough one. The following article from
MSDN magazine should help:

http://msdn.microsoft.com/msdnmag/is...08/WickedCode/

Even though it talks about the session id, it can be applied in a
general sense to any cookie information.

Hope this helps.
--
- Nicholas Paldino [.NET/C# MVP]
- mv*@spam.guard.caspershouse.com

"gl" <gl@discussions.microsoft.com> wrote in message
news:5F**********************************@microsof t.com...
I'm currently making a web app that stores a user id in a cookie, and
builds
user information off of that in the differnt pages of the site. The cookie
is
created on login, and is separate from the authentication cookie. Are
there
dangers to doing this? How easily can a cookie be tampered with? Is there
any
fast setups, or things I can do for securing the cookie? I'm thinking
someone
could tamper with the user id portion of the cookie and get someone else's
info.

I'm using a web farm environment, so I can't use other methods (like
session). Cookies seem to be the best way, but I wanted to know the
dangers
and possible ways to prevent them.

Thanks.

Jan 21 '06 #3
gl
Does ssl guard against cookie hijacking or altering?

"Nicholas Paldino [.NET/C# MVP]" wrote:
Actually, you can use session state across web farms. You can have
session state backed by SQL Server or ASP Session server. Either one will
do this for you. However, the web servers in the farm have to all be set up
the proper way. The following knowledge base article goes into more detail:

http://support.microsoft.com/default...B;EN-US;325056

I would recommend using this, since in essence, any attempt to do this
will result in pretty much reinventing the wheel.

As for cookie hijacking, that's a tough one. The following article from
MSDN magazine should help:

http://msdn.microsoft.com/msdnmag/is...08/WickedCode/

Even though it talks about the session id, it can be applied in a
general sense to any cookie information.

Hope this helps.
--
- Nicholas Paldino [.NET/C# MVP]
- mv*@spam.guard.caspershouse.com

"gl" <gl@discussions.microsoft.com> wrote in message
news:5F**********************************@microsof t.com...
I'm currently making a web app that stores a user id in a cookie, and
builds
user information off of that in the differnt pages of the site. The cookie
is
created on login, and is separate from the authentication cookie. Are
there
dangers to doing this? How easily can a cookie be tampered with? Is there
any
fast setups, or things I can do for securing the cookie? I'm thinking
someone
could tamper with the user id portion of the cookie and get someone else's
info.

I'm using a web farm environment, so I can't use other methods (like
session). Cookies seem to be the best way, but I wanted to know the
dangers
and possible ways to prevent them.

Thanks.


Jan 22 '06 #4
Yes, it does.

--
- Nicholas Paldino [.NET/C# MVP]
- mv*@spam.guard.caspershouse.com

"gl" <gl@discussions.microsoft.com> wrote in message
news:1E**********************************@microsof t.com...
Does ssl guard against cookie hijacking or altering?

"Nicholas Paldino [.NET/C# MVP]" wrote:
Actually, you can use session state across web farms. You can have
session state backed by SQL Server or ASP Session server. Either one
will
do this for you. However, the web servers in the farm have to all be set
up
the proper way. The following knowledge base article goes into more
detail:

http://support.microsoft.com/default...B;EN-US;325056

I would recommend using this, since in essence, any attempt to do
this
will result in pretty much reinventing the wheel.

As for cookie hijacking, that's a tough one. The following article
from
MSDN magazine should help:

http://msdn.microsoft.com/msdnmag/is...08/WickedCode/

Even though it talks about the session id, it can be applied in a
general sense to any cookie information.

Hope this helps.
--
- Nicholas Paldino [.NET/C# MVP]
- mv*@spam.guard.caspershouse.com

"gl" <gl@discussions.microsoft.com> wrote in message
news:5F**********************************@microsof t.com...
> I'm currently making a web app that stores a user id in a cookie, and
> builds
> user information off of that in the differnt pages of the site. The
> cookie
> is
> created on login, and is separate from the authentication cookie. Are
> there
> dangers to doing this? How easily can a cookie be tampered with? Is
> there
> any
> fast setups, or things I can do for securing the cookie? I'm thinking
> someone
> could tamper with the user id portion of the cookie and get someone
> else's
> info.
>
> I'm using a web farm environment, so I can't use other methods (like
> session). Cookies seem to be the best way, but I wanted to know the
> dangers
> and possible ways to prevent them.
>
> Thanks.


Jan 23 '06 #5

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

2
by: Reimar Bauer | last post by:
Hi all, I would like to use a hierarchical group oriented encryption. Is there something implemented or did you know something I could use? For explanaition. If you have a large building...
4
by: Derick Bailey | last post by:
I have a development website running on Win2K Server, using ASP 3.0. I'm using IE6 (all updates added). I have a cookie that is set on a login page, which is an Encrypted password:...
4
by: Shabam | last post by:
I'm developing an application and want to have the "remember me" feature, so that users don't have to log back in again in the next visit. The problem here is, what happens if the user's cookie...
6
by: Mark | last post by:
I am designing a game for a forum. When the user has finished playing I need to save their data to a cookie then navigate to a page which holds their score data (I can't have both sets of data on...
1
by: Paul W | last post by:
Hi - I'm doing simple XOR encryption on a password before storing it in a cookie. I use the same 2-way encryption/decryption routine at each end (before writing/after reading). Something is getting...
4
by: craigkenisston | last post by:
I have an asp.net application in which I sometimes store a persistent cookie once the user has logged in and this has been working great. However, I now add some user information like, username,...
17
by: Bruno | last post by:
I have a feature that is hosted on a different domain from the primary one in a frame, and need to retain values in a cookie. example: A web page at one.com contains a frame which has a page...
2
by: quintesv via DotNetMonster.com | last post by:
Hi all, On WinXP, VS 2003, .net 1.1 I have written an encryption class which uses rijndael method to encrypt a string AND then convert the string to unicode using System.Text. Unicodeencoder....
7
by: Walter Sobchak | last post by:
The connection is ssl encrypted and I need to write some sensitive information in a cookie. I'd like to encrypt the cookie on the client so it could be decrypted later on the server. 1. If I use...
0
by: ryjfgjl | last post by:
In our work, we often receive Excel tables with data in the same format. If we want to analyze these data, it can be difficult to analyze them because the data is spread across multiple Excel files...
0
by: emmanuelkatto | last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud. Please let me know. Thanks! Emmanuel
1
by: nemocccc | last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
1
by: Sonnysonu | last post by:
This is the data of csv file 1 2 3 1 2 3 1 2 3 1 2 3 2 3 2 3 3 the lengths should be different i have to store the data by column-wise with in the specific length. suppose the i have to...
0
by: Hystou | last post by:
There are some requirements for setting up RAID: 1. The motherboard and BIOS support RAID configuration. 2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
0
marktang
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
0
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
0
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows...
0
tracyyun
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.