• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Tim Cooke
  • paul wheaton
  • Paul Clapham
  • Ron McLeod
Sheriffs:
  • Jeanne Boyarsky
  • Liutauras Vilda
Saloon Keepers:
  • Tim Holloway
  • Carey Brown
  • Roland Mueller
  • Piet Souris
Bartenders:

what's the security issue about cookie ?

 
Ranch Hand
Posts: 162
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I heard some 'rumor' about the security problem if server uses cookie on browser. Can someone describe in some detail what can be the potential problem ? do we really need to worry about it ? I know if I use "encodeURL" then server will first try using cookies unless user blocks it, so is ther any big security risk associate with it ?


thanks.
 
Ranch Hand
Posts: 783
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
What exactly is the rumor you heard? We cant dispell or confirm any rumor about security vulnerabilities and cookies if we dont know what rumor you are referring to1
[ July 13, 2005: Message edited by: Paul Bourdeaux ]
 
Ranch Hand
Posts: 167
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Perhaps you are referring to the fact that cookies travel on the unprotected internet in cleartext. In theory, an eavesdropper could hijack your session and gain access to your accounts. But that is true for the actual account information that is travelling on the internet as well. If that is a concern, you should use SSL, which will encrypt your data before sending it on the web.

Do share the other 'rumors' you may have heard
 
Artemesia Lakener
Ranch Hand
Posts: 162
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by Paul Bourdeaux:
What exactly is the rumor you heard? We cant dispell or confirm any rumor about security vulnerabilities and cookies if we dont know what rumor you are referring to1

[ July 13, 2005: Message edited by: Paul Bourdeaux ]



actually the people who told me cookies are unsafe never told me what exactly why, they just said they heard about it...
 
Paul Bourdeaux
Ranch Hand
Posts: 783
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Cookies are stored on the clients computer, and are easily accessible (and editable) by both the user and any webpages they may be visiting. For this reason, you should not store any personal data in cookies, or at least not store any data that should not be shared with others.

Session hijacking is also sometimes a concern, and if so you should use SSL as Sharad suggested.

Other than that, I am not aware of any security problems with cookies.
 
Rancher
Posts: 13459
Android Eclipse IDE Ubuntu
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
There are also issues involving

* cookies being written in one domain and read in another (besides other things it allows sites to track your movement)
* developers being careless about the data placed in cookies - imagine the ranch just put your user number in our cookie, you could become anyone just be editing the file. Don't laugh it happens to often.

These relate to the usage of cookies and not problems the cookies themselves, but they are security concerns anyway.

I guess I'd also add that since they are files on your harddrive and may contain sensetive information they are open for 'information harvesting' from virus and trojans.
 
Ranch Hand
Posts: 208
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
David,
I have seen some posts edited by the author, but when I clicked on the edit icon, a msg stated that only adminstrator or moderator can perform this function. Could you explain what happens?
 
Artemesia Lakener
Ranch Hand
Posts: 162
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by Paul Bourdeaux:
Cookies are stored on the clients computer, and are easily accessible (and editable) by both the user and any webpages they may be visiting. For this reason, you should not store any personal data in cookies, or at least not store any data that should not be shared with others.

Session hijacking is also sometimes a concern, and if so you should use SSL as Sharad suggested.

Other than that, I am not aware of any security problems with cookies.



so, for this encodeURL case, I wouldn't think cookie is a problem because server will just saves the "jsessionid" there, if you use URLRewriting, you will see this jsessionid on the URL. so, same thing to me, right ?
 
Ranch Hand
Posts: 8946
Firefox Browser Spring Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by David O'Meara:
There are also issues involving

* developers being careless about the data placed in cookies - imagine the ranch just put your user number in our cookie, you could become anyone just be editing the file. Don't laugh it happens to often.



Doesn't JR store password in a cookie ?. It is not good.
 
David O'Meara
Rancher
Posts: 13459
Android Eclipse IDE Ubuntu
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
JR doesn't, UBB does
 
Paul Bourdeaux
Ranch Hand
Posts: 783
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
so, for this encodeURL case, I wouldn't think cookie is a problem because server will just saves the "jsessionid" there, if you use URLRewriting, you will see this jsessionid on the URL. so, same thing to me, right ?

Right.
 
David O'Meara
Rancher
Posts: 13459
Android Eclipse IDE Ubuntu
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Not quite. We've been assuming 'persistent cookies', whih are the ones storred on the file system. Unless specified othewise, session cookies are usually 'in memory' only and not written to the client machine. It is, however, possible to convert a jsessionid to a persistent cookie, but you'll have to read Marty Hall's Core Java
reply
    Bookmark Topic Watch Topic
  • New Topic