• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Session cookies - can they be changed at the client side

 
Andee Weir
Greenhorn
Posts: 12
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,
A silly question but how secure against change are session cookies?
I'm thinking about developing an application that needs to store a logged-in user's unique database lookup code within their session cookie. A user could easily see this value but are there hacking tools out there to enable them to change it & fool my server application into giving them someone else's details.
I know I could encrypt the cookie but do I need to bother?
Thanks in advance,
Andee
 
Alain Boucher
Ranch Hand
Posts: 51
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Cookies are really fun to use... but NEVER use them with critical information. It is so easy to replace a cookie. App server use SessionID to manage request with the user but session ID are not persistent data like primarykey in a DB... If you want to keep this ID only for your session time (not a persistent thing) just put that number in the session. If you want to store it in a persistent cookie... well use good encryption. The best way to do what you want to do is using Authentification. Do not store that information to user side. Or make a validation when user log-in just to be sure it was not replaced
 
Michael Mendelson
Ranch Hand
Posts: 73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Alain is correct, of course. You'll need to do a lookup using the SessionID - this can be done in some persistent class on the server side - like a Valve or a Servlet.
 
Andee Weir
Greenhorn
Posts: 12
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks for taking the time to reply guys. I just wanted to clarify my requirement to make certain I understand your answers.
1) I'm talking about session cookies rather than persistent cookies.
2) The connection is over SSL (irrelevant but thought I'd mention it anyway)
3) The data stored in the session cookie is a code that uniquely identifies that user in our backend databases e.g. 123456. It would have been associated with the user in our LDAP directory as part of the authenication during the user's registration & is placed in the session cookie each time the user is authenticated by our single sign on solution.
4) After the user is authenticated they would be presented with a menu of services they have the authorisation to access. One of these applications would use the code from the session cookie to lookup data pertinent to that user from a database & display it to this user.
5) If user A can change the code in their session cookie to be another user's (user B) valid code then user A would see the data for user B. Is it possible to change session cookie data like this?
Thanks in advance,
Andee
[ March 27, 2003: Message edited by: Andee Weir ]
 
Knut Erik Borgen
Greenhorn
Posts: 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Cookies are sent from the client side. Never trust data from the client side. What you are afraid of are often refered to as http session highjacking.
So basicly, yes it might be a problem. So if you think that session highjacking is a problem (you have confidential data), you should make sure that your cookie is never sent out on a non secure channel.
In general - if you plan to use same cookie for a site, both for http and https part, then make sure it's not a problem. And as a rule of thumb - when you direct your users to a https section of your website - give them a new session.
KEB
 
It is sorta covered in the JavaRanch Style Guide.
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic