cookie encryption/security

[Guest]

I'm currently making a web app that stores a user id in a cookie, and builds
user information off of that in the differnt pages of the site. The cookie is
created on login, and is separate from the authentication cookie. Are there
dangers to doing this? How easily can a cookie be tampered with? Is there any
fast setups, or things I can do for securing the cookie? I'm thinking someone
could tamper with the user id portion of the cookie and get someone else's
info.

I'm using a web farm environment, so I can't use other methods (like
session). Cookies seem to be the best way, but I wanted to know the dangers
and possible ways to prevent them.

Thanks.

 

[David Hernandez Diez]

I'm currently making a web app that stores a user id in a cookie, and builds
user information off of that in the differnt pages of the site. The cookie is
created on login, and is separate from the authentication cookie. Are there
dangers to doing this? How easily can a cookie be tampered with? Is there any
fast setups, or things I can do for securing the cookie? I'm thinking someone
could tamper with the user id portion of the cookie and get someone else's
info.

I'm using a web farm environment, so I can't use other methods (like
session). Cookies seem to be the best way, but I wanted to know the dangers
and possible ways to prevent them.

Thanks.

If you are using a web farm you can still use session you will only need
to persist the session in SQL server or State Server instead of
InProc. (This has to be set in web.config)

If you finally decide to insert a cookie ... There is a possibility that
someone could steal the cookie (or tamper one) so what you can do is to
store in your servers other information about your client (like the Ip
and browser configuration) This way the malicious user will have to
tamper the IP apart from the cookie, this doesn't eliminate all the risk
but at least it will be much harder.

This article implements that solution with an HTTPModule, but if you
don't want that you can simply insert the code in the asp.net pages.

http://msdn.microsoft.com/msdnmag/issues/04/08/WickedCode/

 

[Nicholas Paldino [.NET/C# MVP]]

Actually, you can use session state across web farms. You can have
session state backed by SQL Server or ASP Session server. Either one will
do this for you. However, the web servers in the farm have to all be set up
the proper way. The following knowledge base article goes into more detail:

http://support.microsoft.com/default.aspx?scid=KB;EN-US;325056&ID=KB;EN-US;325056

I would recommend using this, since in essence, any attempt to do this
will result in pretty much reinventing the wheel.

As for cookie hijacking, that's a tough one. The following article from
MSDN magazine should help:

http://msdn.microsoft.com/msdnmag/issues/04/08/WickedCode/

Even though it talks about the session id, it can be applied in a
general sense to any cookie information.

Hope this helps.

 

[Guest]

Does ssl guard against cookie hijacking or altering?

Actually, you can use session state across web farms. You can have
session state backed by SQL Server or ASP Session server. Either one will
do this for you. However, the web servers in the farm have to all be set up
the proper way. The following knowledge base article goes into more detail:

http://support.microsoft.com/default.aspx?scid=KB;EN-US;325056&ID=KB;EN-US;325056

I would recommend using this, since in essence, any attempt to do this
will result in pretty much reinventing the wheel.

As for cookie hijacking, that's a tough one. The following article from
MSDN magazine should help:

http://msdn.microsoft.com/msdnmag/issues/04/08/WickedCode/

Even though it talks about the session id, it can be applied in a
general sense to any cookie information.

Hope this helps.


--
- Nicholas Paldino [.NET/C# MVP]
- (e-mail address removed)

I'm currently making a web app that stores a user id in a cookie, and
builds
user information off of that in the differnt pages of the site. The cookie
is
created on login, and is separate from the authentication cookie. Are
there
dangers to doing this? How easily can a cookie be tampered with? Is there
any
fast setups, or things I can do for securing the cookie? I'm thinking
someone
could tamper with the user id portion of the cookie and get someone else's
info.

I'm using a web farm environment, so I can't use other methods (like
session). Cookies seem to be the best way, but I wanted to know the
dangers
and possible ways to prevent them.

Thanks.

 

[Nicholas Paldino [.NET/C# MVP]]

Yes, it does.

--
- Nicholas Paldino [.NET/C# MVP]
- (e-mail address removed)

Does ssl guard against cookie hijacking or altering?

Actually, you can use session state across web farms. You can have
session state backed by SQL Server or ASP Session server. Either one
will
do this for you. However, the web servers in the farm have to all be set
up
the proper way. The following knowledge base article goes into more
detail:

http://support.microsoft.com/default.aspx?scid=KB;EN-US;325056&ID=KB;EN-US;325056

I would recommend using this, since in essence, any attempt to do
this
will result in pretty much reinventing the wheel.

As for cookie hijacking, that's a tough one. The following article
from
MSDN magazine should help:

http://msdn.microsoft.com/msdnmag/issues/04/08/WickedCode/

Even though it talks about the session id, it can be applied in a
general sense to any cookie information.

Hope this helps.


--
- Nicholas Paldino [.NET/C# MVP]
- (e-mail address removed)

I'm currently making a web app that stores a user id in a cookie, and
builds
user information off of that in the differnt pages of the site. The
cookie
is
created on login, and is separate from the authentication cookie. Are
there
dangers to doing this? How easily can a cookie be tampered with? Is
there
any
fast setups, or things I can do for securing the cookie? I'm thinking
someone
could tamper with the user id portion of the cookie and get someone
else's
info.

I'm using a web farm environment, so I can't use other methods (like
session). Cookies seem to be the best way, but I wanted to know the
dangers
and possible ways to prevent them.

Thanks.