WebApp Sec mailing list archives
Re: Encrypted cookies
From: Orlin Gueorguiev <orlin () baturov com>
Date: Fri, 11 Jan 2008 01:17:35 +0100
Hi Allen, На Thursday 10 January 2008 22:02:01 Brokken, Allen P. написа:
Somebody here is developing a Web application that requires user logins, but that is unable to store session information on the server (don't ask me why, it's a long story). So here's what they propose: to take the username, hash of the password, and date the user logged in, encrypt them with a strong encryption algorithm, and store them in a cookie (along with a hash to ensure integrity).
I am currently in a simiral position. I have to write an authentication/authorization program and to present my work J have to make a few example pages...
My question is, assuming a proper encryption algorithm/eky are chosen, can anybody think of a problem that this will create that sessions don't already have (namely, replay attacks)?
I have always loved taking a different angle. Having a cryptographic cookie... means that we are having a token, which can be used for authentication for a specific domain and time. Doesn't that mean that we have a key for a specific domain and time? (the replay attacks are based somewhat on that logic, right?) So is an approach that creates a static token a real security sollution? May be a more dynamic "cookie" can be the solution. A cookie that works with a CHAP based sollution (what I think) somewhat more secure. Offcourse there is the productivity problem... Search in google for: session security with coockies. It will help you a lot. A nice link as well: http://www.technicalinfo.net/papers/WebBasedSessionManagement.html Regards, Orlin ------------------------------------------------------------------------- Sponsored by: Watchfire Methodologies & Tools for Web Application Security Assessment With the rapid rise in the number and types of security threats, web application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this Whitepaper today! https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F -------------------------------------------------------------------------
Current thread:
- Encrypted cookies Ron (Jan 10)
- Re: Encrypted cookies Andrew van der Stock (Jan 10)
- Re: Encrypted cookies Andy Steingruebl (Jan 11)
- Re: Encrypted cookies Andy Steingruebl (Jan 10)
- Re: Encrypted cookies Lucas Oman (Jan 10)
- RE: Encrypted cookies Brokken, Allen P. (Jan 10)
- Re: Encrypted cookies Orlin Gueorguiev (Jan 11)
- <Possible follow-ups>
- Re: Encrypted cookies Rico Secada (Jan 10)
- Fw: Re: Encrypted cookies Rico Secada (Jan 11)
- Re: Fw: Re: Encrypted cookies Ron (Jan 15)
- Re: Encrypted cookies Andrew van der Stock (Jan 10)