Site Security - Best Practises

  • Thread starter Thread starter Richard Coltrane
  • Start date Start date
R

Richard Coltrane

Hi there,

I have a site that uses encrypted javascript cookies to hold session data
particulary user site role data. Although this data is encrypted Ive just
realised that if i copy the encrypted role data from one cookie and paste it
into another cookie i can make requests to the site using elevated
priviledges.

So im wondering how everyone else gets around this when using cookie based
sessions (I run on shared hosting server sessions are not an option). The
way im see it im really vulnerable because the user is only authenticated
once at login and from there site and role data (which is passed in from the
cookie) is simply "believed" and used to provide site access.

How do you guys and girls do it?? Given i can copy paste the site role
string and reuse it, i dont see the point in encrypting it in the first
place. All someone needs to do is sniff the cookie of a higher priviledged
user and then use the encrypted site role info in their own cookie....they
dont need to decrypt/crack anything.

Thanks

Richard
 
Hello Richard,

It's called "Session Hijacking". There are several ways to mitigate this
risk, such as encoding IP in cookies and etc.
I recommend to read the followin articles which describe the nature of the
problem and how to avoid it

http://technet.microsoft.com/en-au/magazine/cc160809.aspx
http://msdn.microsoft.com/en-us/magazine/cc300500.aspx

---
WBR,
Michael Nemtsev [.NET/C# MVP] :: blog: http://spaces.live.com/laflour

"The greatest danger for most of us is not that our aim is too high and we
miss it, but that it is too low and we reach it" (c) Michelangelo


RC> Hi there,
RC>
RC> I have a site that uses encrypted javascript cookies to hold session
RC> data particulary user site role data. Although this data is
RC> encrypted Ive just realised that if i copy the encrypted role data
RC> from one cookie and paste it into another cookie i can make requests
RC> to the site using elevated priviledges.
RC>
RC> So im wondering how everyone else gets around this when using cookie
RC> based sessions (I run on shared hosting server sessions are not an
RC> option). The way im see it im really vulnerable because the user is
RC> only authenticated once at login and from there site and role data
RC> (which is passed in from the cookie) is simply "believed" and used
RC> to provide site access.
RC>
RC> How do you guys and girls do it?? Given i can copy paste the site
RC> role string and reuse it, i dont see the point in encrypting it in
RC> the first place. All someone needs to do is sniff the cookie of a
RC> higher priviledged user and then use the encrypted site role info in
RC> their own cookie....they dont need to decrypt/crack anything.
RC>
RC> Thanks
RC>
RC> Richard
RC>
 
Back
Top