WebApp Sec mailing list archives

Re: Encrypted cookies

From: "Andy Steingruebl" <steingra () gmail com>
Date: Thu, 10 Jan 2008 13:43:43 -0800

On Jan 10, 2008 8:26 AM, Ron <ronlists () skullsecurity com> wrote:

Somebody here is developing a Web application that requires user logins,
but that is unable to store session information on the server (don't ask
me why, it's a long story). So here's what they propose: to take the
username, hash of the password, and date the user logged in, encrypt
them with a strong encryption algorithm, and store them in a cookie
(along with a hash to ensure integrity).

My question is, assuming a proper encryption algorithm/eky are chosen,
can anybody think of a problem that this will create that sessions don't
already have (namely, replay attacks)?

I've thought about this for over a day, and I can't think of any obvious
problems, but I could be missing something.


You'll want to consider adding some extra data.

1. How they were authenticated along with some sort of scoring or
priority mechanism.
2. Where (what service, etc) they were authenticated
3. Optional - lifetime of the session

You'll want that data if you ever need to authenticate people for one
service but not others, if you want to force a lifetime of a session
based on which service created it rather than allowing each consumer
service to make the decision itself.

I also wouldn't store the hash of the password in the session, why do
you need it?

--
Andy Steingruebl
steingra () gmail com

-------------------------------------------------------------------------
Sponsored by: Watchfire 
Methodologies & Tools for Web Application Security Assessment 
With the rapid rise in the number and types of security threats, web application security assessments should be 
considered a crucial phase in the development of any web application. What methodology should be followed? What tools 
can accelerate the assessment process? Download this Whitepaper today! 

https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
-------------------------------------------------------------------------

Current thread:

Encrypted cookies Ron (Jan 10)
- Re: Encrypted cookies Andrew van der Stock (Jan 10)
  - Re: Encrypted cookies Andy Steingruebl (Jan 11)
- Re: Encrypted cookies Andy Steingruebl (Jan 10)
- Re: Encrypted cookies Lucas Oman (Jan 10)
- RE: Encrypted cookies Brokken, Allen P. (Jan 10)
  - Re: Encrypted cookies Orlin Gueorguiev (Jan 11)
- <Possible follow-ups>
- Re: Encrypted cookies Rico Secada (Jan 10)
- Fw: Re: Encrypted cookies Rico Secada (Jan 11)
  - Re: Fw: Re: Encrypted cookies Ron (Jan 15)