473,323 Members | 1,589 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,323 software developers and data experts.

How secure are cookies?

I am curious. If I save an id that points to a users information in a
cookie, is it possible for a hacker to create a tool to set a million
different cookies on his local machine and hit my site until a cookie value
works?

Thanks in advance. If there is a better newsgroup, let me know.

Jim
Nov 22 '05 #1
2 1113
the problem is that between cookies and network speed, it's 'virtually'
impossible. based on the type of ID you use.
you may opt for a UUID/GUID or a 128bit HASH... so that odds to catch the
same idgive you best odds.

see it this way,
how many chances are there for someone to to brute force attack on an ftp
server ???
even locally on a localhost, almost none, unless the password is ovious.

let me give you an example, it's a piece of cake to crack windows passwords
locally because the time it takes to validate a password is infinitesimal.
(ever heard of l0pht?)
but over the lan, even gigabit... odds are against hackers....

normally hackers dont go throught the front door, they let you stuggle to
barricade the front door, and they surprise you with ease from the back
entrance.
"Jim M" <an********@discussions.microsoft.com> wrote in message
news:%2****************@TK2MSFTNGP12.phx.gbl...
I am curious. If I save an id that points to a users information in a
cookie, is it possible for a hacker to create a tool to set a million
different cookies on his local machine and hit my site until a cookie value works?

Thanks in advance. If there is a better newsgroup, let me know.

Jim

Nov 22 '05 #2
Yes, but more likely the 'hacker' can intercept the information in the
cookie or read it from the file cache off of a compromised machine.

If this is some type of authentication system, I suggest you take a look at
the material that's out there. The OpenGroup has a SSO (single sign-on)
specification that you could lift some ideas from.

--
Klaus H. Probst, MVP
http://www.vbbox.com/
"Jim M" <an********@discussions.microsoft.com> wrote in message
news:%2****************@TK2MSFTNGP12.phx.gbl...
I am curious. If I save an id that points to a users information in a
cookie, is it possible for a hacker to create a tool to set a million
different cookies on his local machine and hit my site until a cookie value works?

Thanks in advance. If there is a better newsgroup, let me know.

Jim

Nov 22 '05 #3

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

7
by: ojorus | last post by:
Hello! I want to make a login system as secure as possible on a website I develop. * The user shall log on using a Username and a password (which is stored in a mySQL database) *The server...
0
by: David Dunson | last post by:
I would like to implement user authentication and session management for my applications. I've been using solution 1 (below) for most of my applications in the past since the target audience is...
18
by: | last post by:
Please help. After a number of wrong turns and experiments I need advice on login management system to secure our web pages without inconveniencing our visitors or our internal staff. What I...
0
by: | last post by:
Which of these scenarios is better: A -- User Registers and is returned to the login screen to test his new username ie (email address). A login script checks user name against database....
7
by: Dan V. | last post by:
Situation: I have to connect with my Windows 2000 server using VS.NET 2003 and C# and connect to a remote Linux server at another company's office and query their XML file. Their file may be...
7
by: Seth | last post by:
I have noticed that the id of my session object changes when I switch from a non-secure to a secure connection. What I'm trying to do: I have a cookie that is built on the non-secure side of...
5
by: Joe | last post by:
I have an application which runs in a non-secure environment. I also have an application that runs in a secure environment (both on the same machine). Is there any way to share the session data for...
12
by: infini.g | last post by:
Hey, I was just wondering if / how would it be possible to create secure sessions for a website using Python CGI... I thought of using cookies, and things looked promising for a while; I could...
3
by: Will | last post by:
Is there a good article - or maybe a good chapter in a book - that someone can recommend on the topic of how to make cookie handling secure? I'm interested in common techniques for: -...
3
by: ast3r3x | last post by:
I'm trying to implement the protocol used at http://www.cse.msu.edu/~alexliu/publications/Cookie/cookie.pdf to create cookies that can't be forged. I got everything working, except I have run into...
1
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
0
by: jfyes | last post by:
As a hardware engineer, after seeing that CEIWEI recently released a new tool for Modbus RTU Over TCP/UDP filtering and monitoring, I actively went to its official website to take a look. It turned...
0
by: ArrayDB | last post by:
The error message I've encountered is; ERROR:root:Error generating model response: exception: access violation writing 0x0000000000005140, which seems to be indicative of an access violation...
1
by: PapaRatzi | last post by:
Hello, I am teaching myself MS Access forms design and Visual Basic. I've created a table to capture a list of Top 30 singles and forms to capture new entries. The final step is a form (unbound)...
1
by: CloudSolutions | last post by:
Introduction: For many beginners and individual users, requiring a credit card and email registration may pose a barrier when starting to use cloud servers. However, some cloud server providers now...
1
by: Defcon1945 | last post by:
I'm trying to learn Python using Pycharm but import shutil doesn't work
1
by: Shællîpôpï 09 | last post by:
If u are using a keypad phone, how do u turn on JavaScript, to access features like WhatsApp, Facebook, Instagram....
0
by: Faith0G | last post by:
I am starting a new it consulting business and it's been a while since I setup a new website. Is wordpress still the best web based software for hosting a 5 page website? The webpages will be...
0
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 3 Apr 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome former...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.