How secure are cookies?

  • Thread starter Thread starter Jim M
  • Start date Start date
J

Jim M

I am curious. If I save an id that points to a users information in a
cookie, is it possible for a hacker to create a tool to set a million
different cookies on his local machine and hit my site until a cookie value
works?

Thanks in advance. If there is a better newsgroup, let me know.

Jim
 
the problem is that between cookies and network speed, it's 'virtually'
impossible. based on the type of ID you use.
you may opt for a UUID/GUID or a 128bit HASH... so that odds to catch the
same idgive you best odds.

see it this way,
how many chances are there for someone to to brute force attack on an ftp
server ???
even locally on a localhost, almost none, unless the password is ovious.

let me give you an example, it's a piece of cake to crack windows passwords
locally because the time it takes to validate a password is infinitesimal.
(ever heard of l0pht?)
but over the lan, even gigabit... odds are against hackers....

normally hackers dont go throught the front door, they let you stuggle to
barricade the front door, and they surprise you with ease from the back
entrance.
 
Yes, but more likely the 'hacker' can intercept the information in the
cookie or read it from the file cache off of a compromised machine.

If this is some type of authentication system, I suggest you take a look at
the material that's out there. The OpenGroup has a SSO (single sign-on)
specification that you could lift some ideas from.
 
Back
Top