• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Tim Cooke
  • paul wheaton
  • Liutauras Vilda
  • Ron McLeod
Sheriffs:
  • Jeanne Boyarsky
  • Devaka Cooray
  • Paul Clapham
Saloon Keepers:
  • Scott Selikoff
  • Tim Holloway
  • Piet Souris
  • Mikalai Zaikin
  • Frits Walraven
Bartenders:
  • Stephan van Hulst
  • Carey Brown

Session cookies - can they be changed at the client side

 
Greenhorn
Posts: 12
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi,
A silly question but how secure against change are session cookies?
I'm thinking about developing an application that needs to store a logged-in user's unique database lookup code within their session cookie. A user could easily see this value but are there hacking tools out there to enable them to change it & fool my server application into giving them someone else's details.
I know I could encrypt the cookie but do I need to bother?
Thanks in advance,
Andee
 
Ranch Hand
Posts: 51
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Cookies are really fun to use... but NEVER use them with critical information. It is so easy to replace a cookie. App server use SessionID to manage request with the user but session ID are not persistent data like primarykey in a DB... If you want to keep this ID only for your session time (not a persistent thing) just put that number in the session. If you want to store it in a persistent cookie... well use good encryption. The best way to do what you want to do is using Authentification. Do not store that information to user side. Or make a validation when user log-in just to be sure it was not replaced
 
Ranch Hand
Posts: 73
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Alain is correct, of course. You'll need to do a lookup using the SessionID - this can be done in some persistent class on the server side - like a Valve or a Servlet.
 
Andee Weir
Greenhorn
Posts: 12
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thanks for taking the time to reply guys. I just wanted to clarify my requirement to make certain I understand your answers.
1) I'm talking about session cookies rather than persistent cookies.
2) The connection is over SSL (irrelevant but thought I'd mention it anyway)
3) The data stored in the session cookie is a code that uniquely identifies that user in our backend databases e.g. 123456. It would have been associated with the user in our LDAP directory as part of the authenication during the user's registration & is placed in the session cookie each time the user is authenticated by our single sign on solution.
4) After the user is authenticated they would be presented with a menu of services they have the authorisation to access. One of these applications would use the code from the session cookie to lookup data pertinent to that user from a database & display it to this user.
5) If user A can change the code in their session cookie to be another user's (user B) valid code then user A would see the data for user B. Is it possible to change session cookie data like this?
Thanks in advance,
Andee
[ March 27, 2003: Message edited by: Andee Weir ]
 
Greenhorn
Posts: 1
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Cookies are sent from the client side. Never trust data from the client side. What you are afraid of are often refered to as http session highjacking.
So basicly, yes it might be a problem. So if you think that session highjacking is a problem (you have confidential data), you should make sure that your cookie is never sent out on a non secure channel.
In general - if you plan to use same cookie for a site, both for http and https part, then make sure it's not a problem. And as a rule of thumb - when you direct your users to a https section of your website - give them a new session.
KEB
 
Politics n. Poly "many" + ticks "blood sucking insects". Tiny ad:
Gift giving made easy with the permaculture playing cards
https://coderanch.com/t/777758/Gift-giving-easy-permaculture-playing
reply
    Bookmark Topic Watch Topic
  • New Topic