By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
424,850 Members | 970 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 424,850 IT Pros & Developers. It's quick & easy.

cookie encryption/security

P: n/a
gl
I'm currently making a web app that stores a user id in a cookie, and builds
user information off of that in the differnt pages of the site. The cookie is
created on login, and is separate from the authentication cookie. Are there
dangers to doing this? How easily can a cookie be tampered with? Is there any
fast setups, or things I can do for securing the cookie? I'm thinking someone
could tamper with the user id portion of the cookie and get someone else's
info.

I'm using a web farm environment, so I can't use other methods (like
session). Cookies seem to be the best way, but I wanted to know the dangers
and possible ways to prevent them.

Thanks.
Jan 21 '06 #1
Share this Question
Share on Google+
4 Replies


P: n/a
gl wrote:
I'm currently making a web app that stores a user id in a cookie, and builds
user information off of that in the differnt pages of the site. The cookie is
created on login, and is separate from the authentication cookie. Are there
dangers to doing this? How easily can a cookie be tampered with? Is there any
fast setups, or things I can do for securing the cookie? I'm thinking someone
could tamper with the user id portion of the cookie and get someone else's
info.

I'm using a web farm environment, so I can't use other methods (like
session). Cookies seem to be the best way, but I wanted to know the dangers
and possible ways to prevent them.

Thanks.


If you are using a web farm you can still use session you will only need
to persist the session in SQL server or State Server instead of
InProc. (This has to be set in web.config)

If you finally decide to insert a cookie ... There is a possibility that
someone could steal the cookie (or tamper one) so what you can do is to
store in your servers other information about your client (like the Ip
and browser configuration) This way the malicious user will have to
tamper the IP apart from the cookie, this doesn't eliminate all the risk
but at least it will be much harder.

This article implements that solution with an HTTPModule, but if you
don't want that you can simply insert the code in the asp.net pages.

http://msdn.microsoft.com/msdnmag/is...08/WickedCode/
--
Regards,
David Hernández DÃ*ez
MCDBA MCSD vs6 & .NET
DCE5 .Net1.1 & DCE2 .NET 2.0
Jan 21 '06 #2

P: n/a
Actually, you can use session state across web farms. You can have
session state backed by SQL Server or ASP Session server. Either one will
do this for you. However, the web servers in the farm have to all be set up
the proper way. The following knowledge base article goes into more detail:

http://support.microsoft.com/default...B;EN-US;325056

I would recommend using this, since in essence, any attempt to do this
will result in pretty much reinventing the wheel.

As for cookie hijacking, that's a tough one. The following article from
MSDN magazine should help:

http://msdn.microsoft.com/msdnmag/is...08/WickedCode/

Even though it talks about the session id, it can be applied in a
general sense to any cookie information.

Hope this helps.
--
- Nicholas Paldino [.NET/C# MVP]
- mv*@spam.guard.caspershouse.com

"gl" <gl@discussions.microsoft.com> wrote in message
news:5F**********************************@microsof t.com...
I'm currently making a web app that stores a user id in a cookie, and
builds
user information off of that in the differnt pages of the site. The cookie
is
created on login, and is separate from the authentication cookie. Are
there
dangers to doing this? How easily can a cookie be tampered with? Is there
any
fast setups, or things I can do for securing the cookie? I'm thinking
someone
could tamper with the user id portion of the cookie and get someone else's
info.

I'm using a web farm environment, so I can't use other methods (like
session). Cookies seem to be the best way, but I wanted to know the
dangers
and possible ways to prevent them.

Thanks.

Jan 21 '06 #3

P: n/a
gl
Does ssl guard against cookie hijacking or altering?

"Nicholas Paldino [.NET/C# MVP]" wrote:
Actually, you can use session state across web farms. You can have
session state backed by SQL Server or ASP Session server. Either one will
do this for you. However, the web servers in the farm have to all be set up
the proper way. The following knowledge base article goes into more detail:

http://support.microsoft.com/default...B;EN-US;325056

I would recommend using this, since in essence, any attempt to do this
will result in pretty much reinventing the wheel.

As for cookie hijacking, that's a tough one. The following article from
MSDN magazine should help:

http://msdn.microsoft.com/msdnmag/is...08/WickedCode/

Even though it talks about the session id, it can be applied in a
general sense to any cookie information.

Hope this helps.
--
- Nicholas Paldino [.NET/C# MVP]
- mv*@spam.guard.caspershouse.com

"gl" <gl@discussions.microsoft.com> wrote in message
news:5F**********************************@microsof t.com...
I'm currently making a web app that stores a user id in a cookie, and
builds
user information off of that in the differnt pages of the site. The cookie
is
created on login, and is separate from the authentication cookie. Are
there
dangers to doing this? How easily can a cookie be tampered with? Is there
any
fast setups, or things I can do for securing the cookie? I'm thinking
someone
could tamper with the user id portion of the cookie and get someone else's
info.

I'm using a web farm environment, so I can't use other methods (like
session). Cookies seem to be the best way, but I wanted to know the
dangers
and possible ways to prevent them.

Thanks.


Jan 22 '06 #4

P: n/a
Yes, it does.

--
- Nicholas Paldino [.NET/C# MVP]
- mv*@spam.guard.caspershouse.com

"gl" <gl@discussions.microsoft.com> wrote in message
news:1E**********************************@microsof t.com...
Does ssl guard against cookie hijacking or altering?

"Nicholas Paldino [.NET/C# MVP]" wrote:
Actually, you can use session state across web farms. You can have
session state backed by SQL Server or ASP Session server. Either one
will
do this for you. However, the web servers in the farm have to all be set
up
the proper way. The following knowledge base article goes into more
detail:

http://support.microsoft.com/default...B;EN-US;325056

I would recommend using this, since in essence, any attempt to do
this
will result in pretty much reinventing the wheel.

As for cookie hijacking, that's a tough one. The following article
from
MSDN magazine should help:

http://msdn.microsoft.com/msdnmag/is...08/WickedCode/

Even though it talks about the session id, it can be applied in a
general sense to any cookie information.

Hope this helps.
--
- Nicholas Paldino [.NET/C# MVP]
- mv*@spam.guard.caspershouse.com

"gl" <gl@discussions.microsoft.com> wrote in message
news:5F**********************************@microsof t.com...
> I'm currently making a web app that stores a user id in a cookie, and
> builds
> user information off of that in the differnt pages of the site. The
> cookie
> is
> created on login, and is separate from the authentication cookie. Are
> there
> dangers to doing this? How easily can a cookie be tampered with? Is
> there
> any
> fast setups, or things I can do for securing the cookie? I'm thinking
> someone
> could tamper with the user id portion of the cookie and get someone
> else's
> info.
>
> I'm using a web farm environment, so I can't use other methods (like
> session). Cookies seem to be the best way, but I wanted to know the
> dangers
> and possible ways to prevent them.
>
> Thanks.


Jan 23 '06 #5

This discussion thread is closed

Replies have been disabled for this discussion.