[thesite] high level cookie question..

Warden, Matt mwarden at odyssey-design.com
Tue Jun 5 16:04:52 CDT 2001


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> From: "Daniel J. Cody" <djc at starkmedia.com>
> Subject: [thesite] high level cookie question..
> 

> ok, i'm just getting into cookies and wanted to throw this question
> out there to those of you who are smarter than I in that dept.
> 
> basically, how bad(unsafe and all that good stuff) is it to store
> user information in a cookie once they're logged in? can one easily
> modify their cookie to pretend to be me? is readinga cookie a good
> enough answer to authentication?(we're doing it now..)

It depends, bro.

I mean, if you're just reading a userid out of a cookie, gimme five
minutes to whip up a PurlSkript and do a bunch of mean stuff on
thesite with your god status.

But, if I remember correctly (becuase I'm a nut who surfs with a
browser that prompts me with whether to accept or reject every
cookie), there's some whacked hash that is stored in the cookie now.

I just about always store username and password info in session
cookies, rather than the userid or a true/false isLoggedIn type of
thing. Then I reverify that they exist in the DB with each page that
requires a login. But, these are like 99.99% intranet management
systems for a public internet site, so extra queries aren't all that
much of a concern when only 20-25 users will be on the system each
day.

But, the good thing about session cookies is that they aren't
(supposed to be) stored on the client computer. So, really the only
possible security issue is if Joe Schmo creates a cookie (as a txt
file or in cookies.txt depending on the browser, or in a perlscript)
and guesses the name of the cookies and also the username and
password. And, if he can do that, he can just log into the damn site
anyways.

That kinda what you're lookin for?

- --
mattwarden
mattwarden.com

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>

iQA/AwUBOx1Jk3gH0dUmEhrcEQILBACdFuRRLTk3KjJfKZCWdCVGR8X2H2sAoKLv
cm8jo9v2zYZTzmfUVvMepcnK
=NAo0
-----END PGP SIGNATURE-----






More information about the thesite mailing list