cookie usage with FF

Discussion in 'General Web Coding' started by snooper, Apr 27, 2007.

  1. snooper

    snooper Perch

    hey folks.

    i think we all use cookies to save user data in systems - especially when database login systems are in use.

    I recently saw in FF though, using the Web Developer Toolbar, that one can view cookie information for specific sites. but not only that - one can also EDIT the cookie. This means, that if i log in as snooper, get validated, but then edit my cookie to that of Tanmaya, for example - i might be able to see information that is not my own. Obviously i am not talking about any specific system, but what it seems like to me - is that a system that i build, has to keep validating that the user (based on the cookie) is who he really is - which basically removes need of the cookie in the first place...

    has anyone given this issue some thought?
    would love to hear how other folks approach this issue, and login/user system in general.

    Thanks!
  2. doctorallia

    doctorallia Perch

  3. snooper

    snooper Perch

    first of all, i assume a session can be changed just the same at the above - because after all, a session is a cookie.

    and second of all - a session cannot be relied on for more than a few minutes.
  4. KCWebMonkey

    KCWebMonkey Perch

    i don't think he's referring to session cookies... he's probably referring to session objects (asp example: ASP Session object)
  5. snooper

    snooper Perch

    me too.

    doing
    Session("username")="Donald Duck"

    is in effect using a cookie, as far as i know.
  6. SubSpace

    SubSpace Bass

    Cookies should never be considered a trusted source of information when developing a website. If you log onto a forum, it doesn't (or shouldn't) store just the user ID of the person that's logged in, but also some kind of secret, hard to guess value.
    Often this is just a pseudo-random string of reasonable length that's being used on the server side to match up against your user ID or whichever information is in the cookie.

    Session variables and accompanying cookies use a similar system, except they only store the random key and keep the rest of the information on the server side, safe from being tampered with directly.

    Cookies can be edited in IE too btw, they're just text-files sitting in some directory.

    Anyway, this is very important to realise.. If you want to get an idea of what might happen if you trust cookies, read this article
  7. tetranz

    tetranz Perch

    All the above is correct but most of the time you don't need to worry about it if you use the standard Session functionality in your language of choice and don't try to roll your own.

    In ASP: Session("username") = "Donald Duck"
    In PHP: $_Session["username"] = "Donald Duck"
    etc

    all use a cookie but, as SubSpace describes, its a random string, not the actual value of the data. If its long enough and not sequential, then a hacker trying his luck by fiddling with a few characters has no hope of producing another valid value. He is just going to produce an invalid value which will immediately do something on the server like create a new session which means that he is effectively logged out. Your Session object will have no data.

    The other way of doing sessions is by putting the long random string in the URL. The advantage is that it works if someone has cookies disabled in their browser. That seems to be less popular these days now that the paranoia about cookies has faded. Its dangerous because people can bookmark those URLs, send them to others or they also end up in referrer logs which can be indexed by search engines. Non-persistent (i.e. session) cookies really are the perfect way to do sessions.

    Cheers
    Ross
  8. snooper

    snooper Perch

    So how would you recommend doing it?

    Whoops! thats quite a story... 8o

    Hey Ross. Thanks for your input.


    I hear you - i would stay far away from those osCommerce-like URLs with the PHP session id....
    BUT - using sessions cannot be depended on, from my experience, esecially seen as host set the ASP pool to reset at whatever interval they want, to keep resources down - even though you might try set your own timeout. At one particular host, i had my session reset within seconds - literally, which obviously means no one can get any work done - whether in a forum, CMS etc...
  9. doctorallia

    doctorallia Perch

    a session isnt a cookie.. a session id is stored in a cookie, but that is just an encrypted string.

    i use sessions all the time in php here at jodo and i have never had any problem with them not lasting.

    there is really no other logical way to do a login system. if you are worried about security.. store their ip or agent info in the session and then check that every time they make another request
  10. snooper

    snooper Perch

    i hear you.
    here at Jodo, sessions seem to last less then 10 mins for me in ASP
  11. KCWebMonkey

    KCWebMonkey Perch

    but wouldn't that just be the default session time? I know at least with ASP you can specifically set the session timeout:

    Code:
    <%
    Session.Timeout=10
    %>
    
  12. snooper

    snooper Perch

    as i mentioned, when the ASP pool resets, sessions are lost regardless of how long you set them to.
  13. KCWebMonkey

    KCWebMonkey Perch

    well that's just crap :)

    any clue how often that happens? I wouldn't think that would be very often, and if it was, i'd ask to move to a different application pool.

Share This Page

JodoHost - 26,000 hosting end-users in 100 countries
Plesk Web Hosting
VPS Hosting
H-Sphere Web Hosting
Other Services