I heard some 'rumor' about the security problem if server uses cookie on browser. Can someone describe in some detail what can be the potential problem ? do we really need to worry about it ? I know if I use "encodeURL" then server will first try using cookies unless user blocks it, so is ther any big security risk associate with it ?
thanks.
Paul Bourdeaux
Ranch Hand
Joined: May 24, 2004
Posts: 783
posted
0
What exactly is the rumor you heard? We cant dispell or confirm any rumor about security vulnerabilities and cookies if we dont know what rumor you are referring to1 [ July 13, 2005: Message edited by: Paul Bourdeaux ]
“Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the Universe trying to produce bigger and better idiots. So far, the Universe is winning.” - Rich Cook
Sharad Agarwal
Ranch Hand
Joined: Sep 11, 2002
Posts: 167
posted
0
Perhaps you are referring to the fact that cookies travel on the unprotected internet in cleartext. In theory, an eavesdropper could hijack your session and gain access to your accounts. But that is true for the actual account information that is travelling on the internet as well. If that is a concern, you should use SSL, which will encrypt your data before sending it on the web.
Originally posted by Paul Bourdeaux: What exactly is the rumor you heard? We cant dispell or confirm any rumor about security vulnerabilities and cookies if we dont know what rumor you are referring to1
[ July 13, 2005: Message edited by: Paul Bourdeaux ]
actually the people who told me cookies are unsafe never told me what exactly why, they just said they heard about it...
Paul Bourdeaux
Ranch Hand
Joined: May 24, 2004
Posts: 783
posted
0
Cookies are stored on the clients computer, and are easily accessible (and editable) by both the user and any webpages they may be visiting. For this reason, you should not store any personal data in cookies, or at least not store any data that should not be shared with others.
Session hijacking is also sometimes a concern, and if so you should use SSL as Sharad suggested.
Other than that, I am not aware of any security problems with cookies.
* cookies being written in one domain and read in another (besides other things it allows sites to track your movement) * developers being careless about the data placed in cookies - imagine the ranch just put your user number in our cookie, you could become anyone just be editing the file. Don't laugh it happens to often.
These relate to the usage of cookies and not problems the cookies themselves, but they are security concerns anyway.
I guess I'd also add that since they are files on your harddrive and may contain sensetive information they are open for 'information harvesting' from virus and trojans.
vu lee
Ranch Hand
Joined: Apr 19, 2005
Posts: 189
posted
0
David, I have seen some posts edited by the author, but when I clicked on the edit icon, a msg stated that only adminstrator or moderator can perform this function. Could you explain what happens?
Artemesia Lakener
Ranch Hand
Joined: Jun 21, 2005
Posts: 162
posted
0
Originally posted by Paul Bourdeaux: Cookies are stored on the clients computer, and are easily accessible (and editable) by both the user and any webpages they may be visiting. For this reason, you should not store any personal data in cookies, or at least not store any data that should not be shared with others.
Session hijacking is also sometimes a concern, and if so you should use SSL as Sharad suggested.
Other than that, I am not aware of any security problems with cookies.
so, for this encodeURL case, I wouldn't think cookie is a problem because server will just saves the "jsessionid" there, if you use URLRewriting, you will see this jsessionid on the URL. so, same thing to me, right ?
Originally posted by David O'Meara: There are also issues involving
* developers being careless about the data placed in cookies - imagine the ranch just put your user number in our cookie, you could become anyone just be editing the file. Don't laugh it happens to often.
Doesn't JR store password in a cookie ?. It is not good.
so, for this encodeURL case, I wouldn't think cookie is a problem because server will just saves the "jsessionid" there, if you use URLRewriting, you will see this jsessionid on the URL. so, same thing to me, right ?
Not quite. We've been assuming 'persistent cookies', whih are the ones storred on the file system. Unless specified othewise, session cookies are usually 'in memory' only and not written to the client machine. It is, however, possible to convert a jsessionid to a persistent cookie, but you'll have to read Marty Hall's Core Java
I agree. Here's the link: http://ej-technologies/jprofiler - if it wasn't for jprofiler, we would need to
run our stuff on 16 servers instead of 3.
0
