aspose file tools*
The moose likes Security and the fly likes Session cookies - can they be changed at the client side Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Engineering » Security
Bookmark "Session cookies - can they be changed at the client side" Watch "Session cookies - can they be changed at the client side" New topic
Author

Session cookies - can they be changed at the client side

Andee Weir
Greenhorn

Joined: Sep 13, 2002
Posts: 12
Hi,
A silly question but how secure against change are session cookies?
I'm thinking about developing an application that needs to store a logged-in user's unique database lookup code within their session cookie. A user could easily see this value but are there hacking tools out there to enable them to change it & fool my server application into giving them someone else's details.
I know I could encrypt the cookie but do I need to bother?
Thanks in advance,
Andee
Alain Boucher
Ranch Hand

Joined: Feb 25, 2003
Posts: 51
Cookies are really fun to use... but NEVER use them with critical information. It is so easy to replace a cookie. App server use SessionID to manage request with the user but session ID are not persistent data like primarykey in a DB... If you want to keep this ID only for your session time (not a persistent thing) just put that number in the session. If you want to store it in a persistent cookie... well use good encryption. The best way to do what you want to do is using Authentification. Do not store that information to user side. Or make a validation when user log-in just to be sure it was not replaced


Alain Boucher<br />Spare-Brain Consultants Inc.<br />SCJ2P,SCWCD,
Michael Mendelson
Ranch Hand

Joined: Dec 19, 2000
Posts: 73
Alain is correct, of course. You'll need to do a lookup using the SessionID - this can be done in some persistent class on the server side - like a Valve or a Servlet.
Andee Weir
Greenhorn

Joined: Sep 13, 2002
Posts: 12
Thanks for taking the time to reply guys. I just wanted to clarify my requirement to make certain I understand your answers.
1) I'm talking about session cookies rather than persistent cookies.
2) The connection is over SSL (irrelevant but thought I'd mention it anyway)
3) The data stored in the session cookie is a code that uniquely identifies that user in our backend databases e.g. 123456. It would have been associated with the user in our LDAP directory as part of the authenication during the user's registration & is placed in the session cookie each time the user is authenticated by our single sign on solution.
4) After the user is authenticated they would be presented with a menu of services they have the authorisation to access. One of these applications would use the code from the session cookie to lookup data pertinent to that user from a database & display it to this user.
5) If user A can change the code in their session cookie to be another user's (user B) valid code then user A would see the data for user B. Is it possible to change session cookie data like this?
Thanks in advance,
Andee
[ March 27, 2003: Message edited by: Andee Weir ]
Knut Erik Borgen
Greenhorn

Joined: Sep 15, 2003
Posts: 1
Cookies are sent from the client side. Never trust data from the client side. What you are afraid of are often refered to as http session highjacking.
So basicly, yes it might be a problem. So if you think that session highjacking is a problem (you have confidential data), you should make sure that your cookie is never sent out on a non secure channel.
In general - if you plan to use same cookie for a site, both for http and https part, then make sure it's not a problem. And as a rule of thumb - when you direct your users to a https section of your website - give them a new session.
KEB


KEB
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Session cookies - can they be changed at the client side