WebApp Sec mailing list archives
Re: Encrypted cookies
From: "Andy Steingruebl" <steingra () gmail com>
Date: Thu, 10 Jan 2008 13:43:43 -0800
On Jan 10, 2008 8:26 AM, Ron <ronlists () skullsecurity com> wrote:
Somebody here is developing a Web application that requires user logins, but that is unable to store session information on the server (don't ask me why, it's a long story). So here's what they propose: to take the username, hash of the password, and date the user logged in, encrypt them with a strong encryption algorithm, and store them in a cookie (along with a hash to ensure integrity). My question is, assuming a proper encryption algorithm/eky are chosen, can anybody think of a problem that this will create that sessions don't already have (namely, replay attacks)? I've thought about this for over a day, and I can't think of any obvious problems, but I could be missing something.
You'll want to consider adding some extra data. 1. How they were authenticated along with some sort of scoring or priority mechanism. 2. Where (what service, etc) they were authenticated 3. Optional - lifetime of the session You'll want that data if you ever need to authenticate people for one service but not others, if you want to force a lifetime of a session based on which service created it rather than allowing each consumer service to make the decision itself. I also wouldn't store the hash of the password in the session, why do you need it? -- Andy Steingruebl steingra () gmail com ------------------------------------------------------------------------- Sponsored by: Watchfire Methodologies & Tools for Web Application Security Assessment With the rapid rise in the number and types of security threats, web application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this Whitepaper today! https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F -------------------------------------------------------------------------
Current thread:
- Encrypted cookies Ron (Jan 10)
- Re: Encrypted cookies Andrew van der Stock (Jan 10)
- Re: Encrypted cookies Andy Steingruebl (Jan 11)
- Re: Encrypted cookies Andy Steingruebl (Jan 10)
- Re: Encrypted cookies Lucas Oman (Jan 10)
- RE: Encrypted cookies Brokken, Allen P. (Jan 10)
- Re: Encrypted cookies Orlin Gueorguiev (Jan 11)
- <Possible follow-ups>
- Re: Encrypted cookies Rico Secada (Jan 10)
- Fw: Re: Encrypted cookies Rico Secada (Jan 11)
- Re: Fw: Re: Encrypted cookies Ron (Jan 15)
- Re: Encrypted cookies Andrew van der Stock (Jan 10)