Re: [WebDNA] Secure Cookies

This WebDNA talk-list message is from

2009


It keeps the original formatting.
numero = 103884
interpreted = N
texte =
I have a system where someone logs in with a user and pass, and webdna checks a user database. If they are a me= mber, they get a cookie named status with a value of current. This lets them into the member area. Anyone can see the= name and value by looking at their cookies in the browser settings. So is this a bad idea on my part? The wiki article = was somewhat over my head.
Terry
On Sun, 25 Oct 2009 23:55:24 -0400
William DeVaul <wdevaul@gmail.com> wrote:
> It can be easy depending = on countermeasures in place.
>
> http://en.wikipedia.org/wiki/Session_hijacking
>
> One super= easy way is to store user credentials in the
>cookie. For
> example, if after logging in as "bill" to a = web site, a
>cookie with
> the user name "bill" is stored on the client so that the
>server
&g= t; remembers me as "bill" on subsequent requests, the
>client could read
> the cookie and change the= credential to "jim." This
>problem is not
> solved by the use of SSL but by not storing user
>cred= entials in the
> cookie such a manner that they can be easily modified.
>
>For this reason, it is = highly recommended to encrypt data
>in the cookie.
>
> Bill
>
> On Sun, Oct 25, 2009 a= t 9:10 PM, Terry Wilson
><terry@terryfic.com> wrote:
>> How does hijacking = work, and is it an easy thing to do?
> ---------------------------------------------------------
> This me= ssage is sent to you because you are subscribed
>to
> the mailing list <talk@webdna.us>.
> To un= subscribe, E-mail to: <talk-leave@webdna.us>
> archives: http://mail.webdna.us/list= /talk@webdna.us
> old archives: http://dev.webdna.us/TalkListArchive/
> Bug Reporting:
>http= ://forum.webdna.us/eucabb.html?page=3Dtopics&category=3D288

=A0=
Associated Messages, from the most recent to the oldest:

    
  1. RE: [WebDNA] Secure Cookies ("Scott @ Itsula" 2020)
  2. Re: [WebDNA] Secure Cookies (christophe.billiottet@webdna.us 2020)
  3. Re: [WebDNA] Secure Cookies (Stuart Tremain 2020)
  4. Re: [WebDNA] Secure Cookies (Brian Harrington 2020)
  5. Re: [WebDNA] Secure Cookies (Stuart Tremain 2020)
  6. RE: [WebDNA] Secure Cookies ("Scott @ Itsula" 2020)
  7. Re: [WebDNA] Secure Cookies (Tom Duke 2020)
  8. RE: [WebDNA] Secure Cookies ("Scott @ Itsula" 2020)
  9. Re: [WebDNA] Secure Cookies (Tom Duke 2020)
  10. Re: [WebDNA] Secure Cookies (christophe.billiottet@webdna.us 2020)
  11. Re: [WebDNA] Secure Cookies (Stuart Tremain 2020)
  12. Re: [WebDNA] Secure Cookies (christophe.billiottet@webdna.us 2020)
  13. Re: [WebDNA] Secure Cookies (Stuart Tremain 2020)
  14. Re: [WebDNA] Secure Cookies (Tom Duke 2020)
  15. RE: [WebDNA] Secure Cookies ("Scott @ Itsula" 2020)
  16. [WebDNA] Secure Cookies - Further reading (Stuart Tremain 2020)
  17. [WebDNA] Secure Cookies (Stuart Tremain 2020)
  18. Re: [WebDNA] Secure cookies (HttpOnly/Secure) ("Dan Strong" 2013)
  19. Re: [WebDNA] Secure cookies (HttpOnly/Secure) (Tom Duke 2013)
  20. Re: [WebDNA] Secure cookies (HttpOnly/Secure) (WebDNA 2013)
  21. [WebDNA] Secure cookies (HttpOnly/Secure) ("Dan Strong" 2013)
  22. Re: [WebDNA] Secure Cookies (Tom Duke 2009)
  23. Re: [WebDNA] Secure Cookies (Tom Duke 2009)
  24. Re: [WebDNA] Secure Cookies (William DeVaul 2009)
  25. Re: [WebDNA] Secure Cookies (Tom Duke 2009)
  26. Re: [WebDNA] Secure Cookies (Frank Nordberg 2009)
  27. Re: [WebDNA] Secure Cookies (Govinda 2009)
  28. Re: [WebDNA] Secure Cookies ("Terry Wilson" 2009)
  29. Re: [WebDNA] Secure Cookies (William DeVaul 2009)
  30. Re: [WebDNA] Secure Cookies (William DeVaul 2009)
  31. Re: [WebDNA] Secure Cookies (Stuart Tremain 2009)
  32. Re: [WebDNA] Secure Cookies (Donovan Brooke 2009)
  33. Re: [WebDNA] Secure Cookies (Stuart Tremain 2009)
  34. Re: [WebDNA] Secure Cookies ("Terry Wilson" 2009)
  35. Re: [WebDNA] Secure Cookies (Stuart Tremain 2009)
  36. Re: [WebDNA] Secure Cookies (William DeVaul 2009)
  37. [WebDNA] Secure Cookies (Stuart Tremain 2009)
I have a system where someone logs in with a user and pass, and webdna checks a user database. If they are a me= mber, they get a cookie named status with a value of current. This lets them into the member area. Anyone can see the= name and value by looking at their cookies in the browser settings. So is this a bad idea on my part? The wiki article = was somewhat over my head.
Terry
On Sun, 25 Oct 2009 23:55:24 -0400
William DeVaul <wdevaul@gmail.com> wrote:
> It can be easy depending = on countermeasures in place.
>
> http://en.wikipedia.org/wiki/Session_hijacking
>
> One super= easy way is to store user credentials in the
>cookie. For
> example, if after logging in as "bill" to a = web site, a
>cookie with
> the user name "bill" is stored on the client so that the
>server
&g= t; remembers me as "bill" on subsequent requests, the
>client could read
> the cookie and change the= credential to "jim." This
>problem is not
> solved by the use of SSL but by not storing user
>cred= entials in the
> cookie such a manner that they can be easily modified.
>
>For this reason, it is = highly recommended to encrypt data
>in the cookie.
>
> Bill
>
> On Sun, Oct 25, 2009 a= t 9:10 PM, Terry Wilson
><terry@terryfic.com> wrote:
>> How does hijacking = work, and is it an easy thing to do?
> ---------------------------------------------------------
> This me= ssage is sent to you because you are subscribed
>to
> the mailing list <talk@webdna.us>.
> To un= subscribe, E-mail to: <talk-leave@webdna.us>
> archives: http://mail.webdna.us/list= /talk@webdna.us
> old archives: http://dev.webdna.us/TalkListArchive/
> Bug Reporting:
>http= ://forum.webdna.us/eucabb.html?page=3Dtopics&category=3D288

=A0=
"Terry Wilson"

DOWNLOAD WEBDNA NOW!

Top Articles:

Talk List

The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...

Related Readings:

5.1g and Cart Sweeper (2004) WebCatalog as a ListServ (1998) WebCat2b13 Mac plugin - [sendmail] and checkboxes (1997) RAM variables (1997) math with a [numfound] (2005) WebCommerce: Folder organization ? (1997) URGENT! ACGI Stopped!!!! (1997) XX shipping days til christmas (2002) Bug? (1997) $purchase WITHOUT creditcar (1997) Linebreaks and [writefile] (2003) Price characteristics? (1997) SSL (1998) Major Security Hole IIS NT (1998) emailer on Windows Beta 18 (1997) Help in Minneapolis (2000) Price and Formula.db (2002) can pull down menu do a ONCHANGE= without Java script? (2000) Business Days from today. (2000) Country & Ship-to address & other fields ? (1997)