Last week, we had the author of TDD for a Shopping Website LiveProject. Friday at 11am Ranch time, Steven Solomon will be hosting a live TDD session just for us. See for the agenda and registration link
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
  • Campbell Ritchie
  • Paul Clapham
  • Ron McLeod
  • Jeanne Boyarsky
  • Tim Cooke
  • Liutauras Vilda
  • paul wheaton
  • Henry Wong
Saloon Keepers:
  • Tim Moores
  • Tim Holloway
  • Stephan van Hulst
  • Carey Brown
  • Frits Walraven
  • Piet Souris
  • Himai Minh

Browser prompting for cookies & Judging How Much Security is required

Posts: 10
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

I've always wondered how dangerous this could be and whether it is dangerous at all.

If someone manages to get hold of your workstation when you're logged on to a website, he /she may change the browser settings so that the browser prompts for acceptance of cookies (which contains the session Id).
Then that person can very well submit a request through a standalone program with that session Id and can work on the application as that user.
I have done this myself to see if it works.

1. What would be the ways to avoid this?
Encrypt cookies? Is there any way to encrypt the session Id in the cookie?
2. Another point that comes to my mind here is :
where do you draw the line on how much security you should build in?
It's all very good and wonderful to make your application as secure as possible. But how do you choose the optimal solution based on the application and budget?
Posts: 159
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
<RN> These are PHISHING attacks pretty much common can happen via both a malicious web-site or an email perpetuated scripts. These attacks can be restricted through Browser privacy settings (Cooking Acceptance, URL re-directing, Image acceptance Policies). When you store frequently visited web sites and their passwords or related information ...make sure they are encrypted. But still, there are lot of ways to connect with a computer while surfing !!! Personal firewalls and content-filtering are good options.

In J2EE Web application development you can choose to encrypt cookies or encoded URLs (URLRewriting) ! Encrypting cookies and encoding URLs or combination of both can be done...these are usually very much vendor specific mechanisms and it is not mandated by the Servlet & JSP specifications. Encrypting SessionIDs, Identifying Client HostIDs and using TIMESTAMPS are also considered as best practices to avoid session theft, session hijacking...once again, these are usually vendor-specific.In addition, Always use SSL communication to ensure that client is interacting via secure channel.

Cookie encryption, encrypted session IDs, URL encoding, timestamping, client IP identification are all very much light-weight and more or less CPU/memory intensive (assuming encryption bit-strength is comsidered medium) it should not impact performance or even your overall budget. If you want to perform encryption and decryption at wire-speed then you may consider using SSL/Crypto accelerators....that's a bit pricy but it helps.

The optimal solution is all about striking a balance between your security trade-offs and budget :-) !!! Perform a risk analysis and estimate the cost of a known risk and it relates to your business application... Now decide !!!

There is no beard big enough to make me comfortable enough with my masculinity to wear pink. Tiny ad:
free, earth-friendly heat - a kickstarter for putting coin in your pocket while saving the earth
    Bookmark Topic Watch Topic
  • New Topic