WebApp Sec mailing list archives
Fw: Re: Encrypted cookies
From: Rico Secada <coolzone () it dk>
Date: Thu, 10 Jan 2008 23:39:52 +0100
On Thu, 10 Jan 2008 10:26:08 -0600 Ron <ronlists () skullsecurity com> wrote:
Somebody here is developing a Web application that requires user logins, but that is unable to store session information on the server (don't ask me why, it's a long story). So here's what they propose:
Sorry, I can't help but to probe into the matter. If "somebody" is creating a web application that requires user login, then that somebody needs some way to store information on some kind of database on the server, usernames, passwords etc. You cannot store this information on the client side for later validation.
to take the username, hash of the password, and date the user logged in, encrypt them with a strong encryption algorithm, and store them in a cookie (along with a hash to ensure integrity).
"to take the username" if not stored on the server from where then? What do you want to accomplish with this? If you cannot store any information of any kind on the server, the information that you store in a cookie is rather worthless. Perhaps I have misunderstood you.
My question is, assuming a proper encryption algorithm/eky are chosen, can anybody think of a problem that this will create that sessions don't already have (namely, replay attacks)? I've thought about this for over a day, and I can't think of any obvious problems, but I could be missing something. Thanks! Ron ------------------------------------------------------------------------- Sponsored by: Watchfire Methodologies & Tools for Web Application Security Assessment With the rapid rise in the number and types of security threats, web application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this Whitepaper today! https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F -------------------------------------------------------------------------
------------------------------------------------------------------------- Sponsored by: Watchfire Methodologies & Tools for Web Application Security Assessment With the rapid rise in the number and types of security threats, web application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this Whitepaper today! https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F -------------------------------------------------------------------------
Current thread:
- Encrypted cookies Ron (Jan 10)
- Re: Encrypted cookies Andrew van der Stock (Jan 10)
- Re: Encrypted cookies Andy Steingruebl (Jan 11)
- Re: Encrypted cookies Andy Steingruebl (Jan 10)
- Re: Encrypted cookies Lucas Oman (Jan 10)
- RE: Encrypted cookies Brokken, Allen P. (Jan 10)
- Re: Encrypted cookies Orlin Gueorguiev (Jan 11)
- <Possible follow-ups>
- Re: Encrypted cookies Rico Secada (Jan 10)
- Fw: Re: Encrypted cookies Rico Secada (Jan 11)
- Re: Fw: Re: Encrypted cookies Ron (Jan 15)
- Re: Encrypted cookies Andrew van der Stock (Jan 10)