I have a system where someone logs inwith a user and pass, and webdna checks a user database. If they are a me=mber, they get a cookie named status with avalue of current. This lets them into the member area. Anyone can see the= name and value by looking at their cookies inthe browser settings. So is this a bad idea on my part? The wiki article =was somewhat over my head.
Terry
On Sun, 25 Oct 2009 23:55:24 -0400
WilliamDeVaul <wdevaul@gmail.com> wrote:
> It can be easy depending =on countermeasures in place.
>
>http://en.wikipedia.org/wiki/Session_hijacking
>
> One super= easy way is to store user credentials in the
>cookie. For
> example, if after logging in as "bill" to a =web site, a
>cookie with
> theuser name "bill" is stored on the client so that the
>server
&g=t; remembers me as "bill" on subsequentrequests, the
>client could read
> the cookie and change the= credential to "jim." This
>problem isnot
> solved by the use of SSL but by not storing user
>cred=entials in the
> cookie such a mannerthat they can be easily modified.
>
>For this reason, it is =highly recommended to encrypt data
>inthe cookie.
>
> Bill
>
> On Sun, Oct 25, 2009 a=t 9:10 PM, Terry Wilson
><terry@terryfic.com> wrote:
>> How does hijacking =work, and is it an easy thing to do?
>---------------------------------------------------------
> This me=ssage is sent to you because you are subscribed
>to
> the mailing list <talk@webdna.us>.
> To un=subscribe, E-mail to:<talk-leave@webdna.us>
> archives: http://mail.webdna.us/list=/talk@webdna.us
> old archives:http://dev.webdna.us/TalkListArchive/
> Bug Reporting:
>http=://forum.webdna.us/eucabb.html?page=3Dtopics&category=3D288
=A0=
I have a system where someone logs inwith a user and pass, and webdna checks a user database. If they are a me=mber, they get a cookie named status with avalue of current. This lets them into the member area. Anyone can see the= name and value by looking at their cookies inthe browser settings. So is this a bad idea on my part? The wiki article =was somewhat over my head.
Terry
On Sun, 25 Oct 2009 23:55:24 -0400
WilliamDeVaul <wdevaul@gmail.com> wrote:
> It can be easy depending =on countermeasures in place.
>
>http://en.wikipedia.org/wiki/Session_hijacking
>
> One super= easy way is to store user credentials in the
>cookie. For
> example, if after logging in as "bill" to a =web site, a
>cookie with
> theuser name "bill" is stored on the client so that the
>server
&g=t; remembers me as "bill" on subsequentrequests, the
>client could read
> the cookie and change the= credential to "jim." This
>problem isnot
> solved by the use of SSL but by not storing user
>cred=entials in the
> cookie such a mannerthat they can be easily modified.
>
>For this reason, it is =highly recommended to encrypt data
>inthe cookie.
>
> Bill
>
> On Sun, Oct 25, 2009 a=t 9:10 PM, Terry Wilson
><terry@terryfic.com> wrote:
>> How does hijacking =work, and is it an easy thing to do?
>---------------------------------------------------------
> This me=ssage is sent to you because you are subscribed
>to
> the mailing list <talk@webdna.us>.
> To un=subscribe, E-mail to:<talk-leave@webdna.us>
> archives: http://mail.webdna.us/list=/talk@webdna.us
> old archives:http://dev.webdna.us/TalkListArchive/
> Bug Reporting:
>http=://forum.webdna.us/eucabb.html?page=3Dtopics&category=3D288
=A0=
The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...