Databases
StackOverflow2013
Postsdbo
POHow to protect cookies from an attack
 

Note that there are some explanatory texts on larger screens.

plurals
  1. POHow to protect cookies from an attack
    primarykey
    data
    text
    <p>I want to use cookies for storing userId during the session which lets to avoid unnecessary roundtrips to the data base. This userId is used to access some user specific information. As cookies can be easily edited I'm now conserned with the security issue.</p> <p>In order to forbid an logged in user to edit their userId and so get access to other users' information I use a pretty straightforward method. I add one more cookie at the userId cookie creation moment which stores a hashed value for it. While hashing I use a hard coded 64 byte key. When retrieving the userId from the cookie it is always checked if it matches with its hashed value.</p> <p>Here is basically my code:</p> <pre><code>public static int GetUserId(Page page) { int userId; if (page.Request.Cookies["userId"] != null &amp;&amp; page.Request.Cookies["userIdHashed"] != null) { string userIdHashed = page.Request.Cookies["userIdHashed"].Value; string userIdCoockie = page.Request.Cookies["userId"].Value; string coockie = (userIdCoockie + "945AFF2FD0F1D89B4B1DBEB1B0C5D3B8B5DCE000AAEA331EB0C3F3A68C3865EFA73BC6EBF30C8DF1AD6B9ECB7094DA5B0C1AF36B5BBD096E3D873E9589E3F664").GetHashCode().ToString(); if (userIdHashed == coockie) { userId = Int32.Parse(userIdCoockie); } else { throw new Exception("UserId does not match!"); } } else { userId = ...//here userId is being retrieved from the data base and than: page.Response.Cookies["userId"].Value = userId.ToString(); page.Response.Cookies["userId"].HttpOnly = true; string userIdHashed = (userId.ToString() + "945AFF2FD0F1D89B4B1DBEB1B0C5D3B8B5DCE000AAEA331EB0C3F3A68C3865EFA73BC6EBF30C8DF1AD6B9ECB7094DA5B0C1AF36B5BBD096E3D873E9589E3F664").GetHashCode().ToString(); page.Response.Cookies["userIdHashed"].Value = userIdHashed; page.Response.Cookies["userIdHashed"].HttpOnly = true; } return userId; } </code></pre> <p>So my questions are:</p> <ul> <li><p>Can such an approach be considered reliable enough in this situation?</p></li> <li><p>If not should I modify it and how or should I look for something different (e.g. encryption/decryption via System.Security.Cryptography as recommended <a href="https://stackoverflow.com/questions/4360839/encrypt-cookies-in-asp-net">here</a>)?</p></li> </ul> <p>And additional question: Does it really make sense to set HttpCookie.HttpOnly = true to prevent javascript from accessing the cookie given that it can also easily be modified by the user?</p> <p><strong>UPDATE</strong></p> <p>Great thanks for answers to Kerrek SB and Darin Dimitrov who share the opinion that it does not make sense to try to protect cookies on my own taking into account that there are already built in protected mechanisms of storing of such kind of information between postbacks.</p> <p>Options suggested are:</p> <ul> <li>Using the ASP.NET <code>cache</code> (but I believe it is generally supposed to store information which should be shared between users, so I look at other two options).</li> <li>Adding a custom string with userId into UserData part of the <code>FormsAuthenticationTicket</code>.</li> <li>Using the <code>Session State</code>.</li> </ul> <p>So currently I'm deciding between the latter two.</p> <p>Changing the FormsAuthenticationTicket is not really straightforward. Additionally it does not work with the Cookieless Forms Authentication (as stated <a href="http://www.asp.net/security/tutorials/forms-authentication-configuration-and-advanced-topics-cs" rel="nofollow noreferrer">here</a>). </p> <p>Using the Session State is much easier but it can affect the performance because it stores the values in the server memory. However may be in my case it is not so dramatic because we store only userId of type int.</p> <p>So for now the last option looks much better for me. However I would greatly appreciate if anybody else could comment and support or criticise any of options discussed.</p> <p>Thanks in advance!</p>
    singulars
    1. PO
      singulars
      1. PTAnswer
    1. This table or related slice is empty.
    1. PTQuestion
    1. USCommunity
    1. USKirill
    plurals
    1. PL
      singulars
      1. LTLinked
    2. PL
      singulars
      1. LTLinked
    3. PL
      singulars
      1. LTLinked
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. PO
      singulars
      1. PTAnswer
    2. PO
      singulars
      1. PTAnswer
    3. PO
      singulars
      1. PTAnswer
    1. VO
      singulars
      1. POHow to protect cookies from an attack
      1. USTrevor
      1. VTFavorite
    2. VO
      singulars
      1. POHow to protect cookies from an attack
      1. This table or related slice is empty.
      1. VTUpMod
    1. This table or related slice is empty.
 

Querying!

 
Guidance
A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload