WebApp Sec mailing list archives

Re: Session security with cookies

From: "Scott C. Sanchez" <scottsanchez () gmail com>
Date: Tue, 4 Dec 2007 17:21:18 -0500

Encrypting or signing the data in the cookies is better than not doing
it.  My suggestion instead would be to use a hash of something unique
in the cookie (by itself) that maps back to a server-side table
linking the valid hashes to the data you are trying to keep track of.
The only gotcha here is to not use something predictable as the hash (
e.g. the users email address), because then someone can brute force
their way into figuring out your hash.  Random is your friend!

That way there is no data in the cookie to get tampered with (or
stolen), and if you get paranoid and use something robust like sha512
for the hash you store in the cookie, there is little chance anyone
will be able to spoof another user by 'guessing' the hash in their
cookie.

-Scott


On Dec 4, 2007 1:47 PM, Ron <ronlists () skullsecurity com> wrote:

Something I've recently been toying with is the idea of
encrypting/signing cookies with a private key on the server. The the
cookies can't be read or tampered with by the user, nor can they be
stolen by cross-site attacks and the like.

This isn't something I've done a lot of work with, however, so I may be
missing something obvious, and am open to comments on the idea.

Ron


Till Elsner wrote:

Hi, i'm investigating in web application security this time and i'm
trying to find some information about session management with cookies
and related security issues. Can anyone point me to tips on how to make
cookie based sessions more secure and how to prevent session hijacking?
How secure is session handling using cookies and what are the main
risks? Is anyone aware of good literature on that topic?
Thanks and have a nice day
Till

-------------------------------------------------------------------------
Sponsored by: WatchfireMethodologies & Tools for Web Application
Security AssessmentWith the rapid rise in the number and types of

security threats, web application security assessments should be
considered a crucial phase in the development of any web application.
What methodology should be followed? What tools can accelerate the
assessment process? Download this Whitepaper today!
https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
-------------------------------------------------------------------------


-------------------------------------------------------------------------
Sponsored by: Watchfire
Methodologies & Tools for Web Application Security Assessment
With the rapid rise in the number and types of security threats, web application security assessments should be 
considered a crucial phase in the development of any web application. What methodology should be followed? What 
tools can accelerate the assessment process? Download this Whitepaper today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
-------------------------------------------------------------------------

--





-- 

-------------------------------------------------------------------------
This message contains confidential information and is intended only
for the intended recipient(s). If you are not the named recipient you
should not read, distribute or copy this e-mail. Please notify the
sender immediately via e-mail if you have received this e-mail by
mistake; then, delete this e-mail from your system.

-------------------------------------------------------------------------
Sponsored by: Watchfire 
Methodologies & Tools for Web Application Security Assessment 
With the rapid rise in the number and types of security threats, web application security assessments should be 
considered a crucial phase in the development of any web application. What methodology should be followed? What tools 
can accelerate the assessment process? Download this Whitepaper today! 

https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
-------------------------------------------------------------------------

Current thread:

Re: Session security with cookies, (continued)
- - - Re: Session security with cookies Till Elsner (Dec 05)
    - Re: Session security with cookies Aaron Katz (Dec 05)
    - Re: Session security with cookies Till Elsner (Dec 05)
    - Re: Session security with cookies Aaron Katz (Dec 05)
    - Re: Session security with cookies Aaron Shelmire (Dec 08)
    - Re: Session security with cookies Eduardo Tongson (Dec 08)
    - Cryptographically Generated Cookies Paul Johnston (Dec 12)
    - Re: Cryptographically Generated Cookies Andy Steingruebl (Dec 14)
    - Re: Cryptographically Generated Cookies Jamie Riden (Dec 14)
    - RE: Session security with cookies Martin O'Neal (Dec 12)
    - Message not available
    - Re: Session security with cookies Scott C. Sanchez (Dec 04)
    - RE: Session security with cookies Martin O'Neal (Dec 05)
- Re: Session security with cookies Eduardo Tongson (Dec 05)