GeeCON Prague 2014*
The moose likes Servlets and the fly likes what's the security issue about cookie ? Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


JavaRanch » Java Forums » Java » Servlets
Bookmark "what Watch "what New topic
Author

what's the security issue about cookie ?

Artemesia Lakener
Ranch Hand

Joined: Jun 21, 2005
Posts: 162
I heard some 'rumor' about the security problem if server uses cookie on browser. Can someone describe in some detail what can be the potential problem ? do we really need to worry about it ? I know if I use "encodeURL" then server will first try using cookies unless user blocks it, so is ther any big security risk associate with it ?


thanks.
Paul Bourdeaux
Ranch Hand

Joined: May 24, 2004
Posts: 783
What exactly is the rumor you heard? We cant dispell or confirm any rumor about security vulnerabilities and cookies if we dont know what rumor you are referring to1
[ July 13, 2005: Message edited by: Paul Bourdeaux ]

“Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the Universe trying to produce bigger and better idiots. So far, the Universe is winning.” - Rich Cook
Sharad Agarwal
Ranch Hand

Joined: Sep 11, 2002
Posts: 167
Perhaps you are referring to the fact that cookies travel on the unprotected internet in cleartext. In theory, an eavesdropper could hijack your session and gain access to your accounts. But that is true for the actual account information that is travelling on the internet as well. If that is a concern, you should use SSL, which will encrypt your data before sending it on the web.

Do share the other 'rumors' you may have heard


Alco-Haul: We move spirits.
Demented Deliberations of a Dilettante
Artemesia Lakener
Ranch Hand

Joined: Jun 21, 2005
Posts: 162
Originally posted by Paul Bourdeaux:
What exactly is the rumor you heard? We cant dispell or confirm any rumor about security vulnerabilities and cookies if we dont know what rumor you are referring to1

[ July 13, 2005: Message edited by: Paul Bourdeaux ]


actually the people who told me cookies are unsafe never told me what exactly why, they just said they heard about it...
Paul Bourdeaux
Ranch Hand

Joined: May 24, 2004
Posts: 783
Cookies are stored on the clients computer, and are easily accessible (and editable) by both the user and any webpages they may be visiting. For this reason, you should not store any personal data in cookies, or at least not store any data that should not be shared with others.

Session hijacking is also sometimes a concern, and if so you should use SSL as Sharad suggested.

Other than that, I am not aware of any security problems with cookies.
David O'Meara
Rancher

Joined: Mar 06, 2001
Posts: 13459

There are also issues involving

* cookies being written in one domain and read in another (besides other things it allows sites to track your movement)
* developers being careless about the data placed in cookies - imagine the ranch just put your user number in our cookie, you could become anyone just be editing the file. Don't laugh it happens to often.

These relate to the usage of cookies and not problems the cookies themselves, but they are security concerns anyway.

I guess I'd also add that since they are files on your harddrive and may contain sensetive information they are open for 'information harvesting' from virus and trojans.
vu lee
Ranch Hand

Joined: Apr 19, 2005
Posts: 189
David,
I have seen some posts edited by the author, but when I clicked on the edit icon, a msg stated that only adminstrator or moderator can perform this function. Could you explain what happens?
Artemesia Lakener
Ranch Hand

Joined: Jun 21, 2005
Posts: 162
Originally posted by Paul Bourdeaux:
Cookies are stored on the clients computer, and are easily accessible (and editable) by both the user and any webpages they may be visiting. For this reason, you should not store any personal data in cookies, or at least not store any data that should not be shared with others.

Session hijacking is also sometimes a concern, and if so you should use SSL as Sharad suggested.

Other than that, I am not aware of any security problems with cookies.


so, for this encodeURL case, I wouldn't think cookie is a problem because server will just saves the "jsessionid" there, if you use URLRewriting, you will see this jsessionid on the URL. so, same thing to me, right ?
Pradeep bhatt
Ranch Hand

Joined: Feb 27, 2002
Posts: 8919

Originally posted by David O'Meara:
There are also issues involving

* developers being careless about the data placed in cookies - imagine the ranch just put your user number in our cookie, you could become anyone just be editing the file. Don't laugh it happens to often.



Doesn't JR store password in a cookie ?. It is not good.


Groovy
David O'Meara
Rancher

Joined: Mar 06, 2001
Posts: 13459

JR doesn't, UBB does
Paul Bourdeaux
Ranch Hand

Joined: May 24, 2004
Posts: 783
so, for this encodeURL case, I wouldn't think cookie is a problem because server will just saves the "jsessionid" there, if you use URLRewriting, you will see this jsessionid on the URL. so, same thing to me, right ?

Right.
David O'Meara
Rancher

Joined: Mar 06, 2001
Posts: 13459

Not quite. We've been assuming 'persistent cookies', whih are the ones storred on the file system. Unless specified othewise, session cookies are usually 'in memory' only and not written to the client machine. It is, however, possible to convert a jsessionid to a persistent cookie, but you'll have to read Marty Hall's Core Java
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: what's the security issue about cookie ?