Hi, A silly question but how secure against change are session cookies? I'm thinking about developing an application that needs to store a logged-in user's unique database lookup code within their session cookie. A user could easily see this value but are there hacking tools out there to enable them to change it & fool my server application into giving them someone else's details. I know I could encrypt the cookie but do I need to bother? Thanks in advance, Andee
Cookies are really fun to use... but NEVER use them with critical information. It is so easy to replace a cookie. App server use SessionID to manage request with the user but session ID are not persistent data like primarykey in a DB... If you want to keep this ID only for your session time (not a persistent thing) just put that number in the session. If you want to store it in a persistent cookie... well use good encryption. The best way to do what you want to do is using Authentification. Do not store that information to user side. Or make a validation when user log-in just to be sure it was not replaced
Alain is correct, of course. You'll need to do a lookup using the SessionID - this can be done in some persistent class on the server side - like a Valve or a Servlet.
Joined: Sep 13, 2002
Thanks for taking the time to reply guys. I just wanted to clarify my requirement to make certain I understand your answers. 1) I'm talking about session cookies rather than persistent cookies. 2) The connection is over SSL (irrelevant but thought I'd mention it anyway) 3) The data stored in the session cookie is a code that uniquely identifies that user in our backend databases e.g. 123456. It would have been associated with the user in our LDAP directory as part of the authenication during the user's registration & is placed in the session cookie each time the user is authenticated by our single sign on solution. 4) After the user is authenticated they would be presented with a menu of services they have the authorisation to access. One of these applications would use the code from the session cookie to lookup data pertinent to that user from a database & display it to this user. 5) If user A can change the code in their session cookie to be another user's (user B) valid code then user A would see the data for user B. Is it possible to change session cookie data like this? Thanks in advance, Andee [ March 27, 2003: Message edited by: Andee Weir ]
Cookies are sent from the client side. Never trust data from the client side. What you are afraid of are often refered to as http session highjacking. So basicly, yes it might be a problem. So if you think that session highjacking is a problem (you have confidential data), you should make sure that your cookie is never sent out on a non secure channel. In general - if you plan to use same cookie for a site, both for http and https part, then make sure it's not a problem. And as a rule of thumb - when you direct your users to a https section of your website - give them a new session. KEB