cookie usage with FF

[snooper]

hey folks.

i think we all use cookies to save user data in systems - especially when database login systems are in use.

I recently saw in FF though, using the Web Developer Toolbar, that one can view cookie information for specific sites. but not only that - one can also EDIT the cookie. This means, that if i log in as snooper, get validated, but then edit my cookie to that of Tanmaya, for example - i might be able to see information that is not my own. Obviously i am not talking about any specific system, but what it seems like to me - is that a system that i build, has to keep validating that the user (based on the cookie) is who he really is - which basically removes need of the cookie in the first place...

has anyone given this issue some thought?
would love to hear how other folks approach this issue, and login/user system in general.

Thanks!

 

[doctorallia]

sessions

 

[snooper]

first of all, i assume a session can be changed just the same at the above - because after all, a session is a cookie.

and second of all - a session cannot be relied on for more than a few minutes.

 

[KCWebMonkey]

i don't think he's referring to session cookies... he's probably referring to session objects (asp example: ASP Session object)

 

[snooper]

me too.

doing
Session("username")="Donald Duck"

is in effect using a cookie, as far as i know.

 

[SubSpace]

Cookies should never be considered a trusted source of information when developing a website. If you log onto a forum, it doesn't (or shouldn't) store just the user ID of the person that's logged in, but also some kind of secret, hard to guess value.
Often this is just a pseudo-random string of reasonable length that's being used on the server side to match up against your user ID or whichever information is in the cookie.

Session variables and accompanying cookies use a similar system, except they only store the random key and keep the rest of the information on the server side, safe from being tampered with directly.

Cookies can be edited in IE too btw, they're just text-files sitting in some directory.

Anyway, this is very important to realise.. If you want to get an idea of what might happen if you trust cookies, read this article

 

[tetranz]

All the above is correct but most of the time you don't need to worry about it if you use the standard Session functionality in your language of choice and don't try to roll your own.

In ASP: Session("username") = "Donald Duck"
In PHP: $_Session["username"] = "Donald Duck"
etc

all use a cookie but, as SubSpace describes, its a random string, not the actual value of the data. If its long enough and not sequential, then a hacker trying his luck by fiddling with a few characters has no hope of producing another valid value. He is just going to produce an invalid value which will immediately do something on the server like create a new session which means that he is effectively logged out. Your Session object will have no data.

The other way of doing sessions is by putting the long random string in the URL. The advantage is that it works if someone has cookies disabled in their browser. That seems to be less popular these days now that the paranoia about cookies has faded. Its dangerous because people can bookmark those URLs, send them to others or they also end up in referrer logs which can be indexed by search engines. Non-persistent (i.e. session) cookies really are the perfect way to do sessions.

Cheers
Ross

 

[snooper]

Cookies should never be considered a trusted source of information when developing a website. .....

So how would you recommend doing it?

Anyway, this is very important to realise.. If you want to get an idea of what might happen if you trust cookies, read this article

Whoops! thats quite a story... 8o

Cheers
Ross

Hey Ross. Thanks for your input.

Non-persistent (i.e. session) cookies really are the perfect way to do sessions.

I hear you - i would stay far away from those osCommerce-like URLs with the PHP session id....
BUT - using sessions cannot be depended on, from my experience, esecially seen as host set the ASP pool to reset at whatever interval they want, to keep resources down - even though you might try set your own timeout. At one particular host, i had my session reset within seconds - literally, which obviously means no one can get any work done - whether in a forum, CMS etc...

 

[doctorallia]

first of all, i assume a session can be changed just the same at the above - because after all, a session is a cookie.

and second of all - a session cannot be relied on for more than a few minutes.

a session isnt a cookie.. a session id is stored in a cookie, but that is just an encrypted string.

i use sessions all the time in php here at jodo and i have never had any problem with them not lasting.

there is really no other logical way to do a login system. if you are worried about security.. store their ip or agent info in the session and then check that every time they make another request

 

[snooper]

i hear you.
here at Jodo, sessions seem to last less then 10 mins for me in ASP

 

[KCWebMonkey]

but wouldn't that just be the default session time? I know at least with ASP you can specifically set the session timeout:

<%
Session.Timeout=10
%>

 

[snooper]

as i mentioned, when the ASP pool resets, sessions are lost regardless of how long you set them to.

 

[KCWebMonkey]

well that's just crap

any clue how often that happens? I wouldn't think that would be very often, and if it was, i'd ask to move to a different application pool.