Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > Ram based Cookies

Reply
Thread Tools

Ram based Cookies

 
 
Colin Young
Guest
Posts: n/a
 
      04-28-2004
It sounds from the discussion that you are concerned about your legitimate
users trying to do things they shouldn't (I'm guessing privilege elevation
or similar). If that is the case, the only thing you should store in the
cookie is information that is known only to that user.

For example, don't store a user ID only because that would allow an
up-to-no-good user to simply change the ID to become a different person,
possibly with elevated permissions. Instead, keep the ID and password in the
cookie and verify it when the user attempts to perform an action.

It may be more expensive in terms of computing resources and programming
effort, but all security is coming up with the best balance between the cost
of the security and the value of what is being protected. Bruce Schneier has
a good essay on the topic at
http://www.schneier.com/crypto-gram-0403.html#11.

My suggestion would be to not put anything in the cookie that would provide
a nefarious user with an easy way to guess, and have some way of detecting
attacks. e.g. if some user is attempting to guess user IDs, in the worst
case they change their user ID to '0' and become administrator. If you
decide to play a trick and change the admin ID to some random number, you've
made it difficult (not impossible) to guess, but unless you have some way of
detecting attempts to change the user ID (i.e. a password and validation
routine), you will have no idea that somebody is trying to crack your
security and they can take as long as they want attempting to guess.

Colin

"Mark" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> We use cookies to maintain some state information about a users session.
> They are not file based due to the fact that we don't specify a expiration
> date. They go away when the session ends. I know it's possible to modify

a
> file based cookie. However, what would it take for a hacker that did not
> have access to our web server to modify the value of a ram based client
> cookie that we're creating below? I'm not concerned about someone reading
> what is in the cookie - I'm nervous about them being able to modify the
> cookie value.
>
> Thanks in advance.
> Mark
>
> HttpCookie ckCookie = Request.Cookies[strCookieName];
> if (ckCookie == null)
> {
> ckCookie = new HttpCookie(strCookieName, strCookieValue);
> Response.Cookies.Add(ckCookie);
> }
> else
> {
> Response.Cookies[strCookieName].Value = strCookieValue;
> }
>
>



 
Reply With Quote
 
 
 
 
Steve Drake
Guest
Posts: n/a
 
      04-28-2004
No, the value isn't need on the server, the server just holds the hashing
code, you take the value and the hash sent to the sever, recreate the hash
from the value sent if you get the same result as the hashed one.

Your cookie sent from the server to the client could be :

My Non Editable thing = "SomeValue"
My Encrypted Value = "eulaVemos"

When the cookies get sent back to the server, you take "Some Value", run you
ENC code, it produces "eulaVemos" so the cookie has not been tampered, if
.... you get

My Non Editable thing = "WrongValue"
My Encrypted Value = "eulaVemos"

The server would create eulaVgnorW and compare it to eulaVemos so it would
know its been tampered.

You could get more intelligent by rotating a key that you use to encrypted
on each requested for that user.

I recon, this code could be added to the global asa to work with ALL
cookies.

Steve


"Mark" <(E-Mail Removed)> wrote in message
news:#(E-Mail Removed)...
> Thanks Steve.
>
> Correct me if I'm wrong but this essentially requires both the client and
> the server to maintain this "value" that I'm passing in the cookie. To
> regenerate the value on the server, and then compare it to the client
> cookie, that means the server has to have a clue.
>
> In my scenario, the whole point of passing the cookie is that I don't want
> the server (session or otherwise) to have to regenerate the value. The
> cookie maintains this information so the server doesn't have to.
>
> Am I misreading your suggestion? Thanks again.
>
> Mark
>
>
> "Steve Drake" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
> > You create a NEW cookie, base it on the vals from your non editable

> cookie,
> > this new cookie is a sort of encrypted version of the non editable

cookie,
> > in your server code, you REGEN this cookie from the non editable value,

if
> > it doesent match, you asume the cookie has change.
> >
> > This is sort of like a checksum.
> >
> > I dont have a code sample, yet, but I do need todo this sort of thing

> soon.
> >
> >
> > Steve
> >
> > you create a hash some sort of hash with some user info + the cookie

name
> +
> > the cookie valiue
> > "Mark" <(E-Mail Removed)> wrote in message
> > news:#(E-Mail Removed)...
> > > Great idea. A quick code sample, or pseduo code for both hashing and
> > > unhashing would be deeply appreciated.
> > >
> > > Mark
> > >
> > > "Steve Drake" <(E-Mail Removed)> wrote in message
> > > news:(E-Mail Removed)...
> > > > I would never assume it cannot be edit, cookie are sent in the HTTP
> > > headers
> > > > so you could intercept this and change the values.
> > > >
> > > > You could HASH the cookie.
> > > >
> > > > Steve
> > > >
> > > > Steve
> > > > "Mark" <(E-Mail Removed)> wrote in message
> > > > news:(E-Mail Removed)...
> > > > > We use cookies to maintain some state information about a users

> > session.
> > > > > They are not file based due to the fact that we don't specify a
> > > expiration
> > > > > date. They go away when the session ends. I know it's possible

to
> > > modify
> > > > a
> > > > > file based cookie. However, what would it take for a hacker that

> did
> > > not
> > > > > have access to our web server to modify the value of a ram based

> > client
> > > > > cookie that we're creating below? I'm not concerned about someone
> > > reading
> > > > > what is in the cookie - I'm nervous about them being able to

modify
> > the
> > > > > cookie value.
> > > > >
> > > > > Thanks in advance.
> > > > > Mark
> > > > >
> > > > > HttpCookie ckCookie = Request.Cookies[strCookieName];
> > > > > if (ckCookie == null)
> > > > > {
> > > > > ckCookie = new HttpCookie(strCookieName, strCookieValue);
> > > > > Response.Cookies.Add(ckCookie);
> > > > > }
> > > > > else
> > > > > {
> > > > > Response.Cookies[strCookieName].Value = strCookieValue;
> > > > > }
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >

> >
> >

>
>



 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Give Request.Cookies and Response.Cookies is there any reason to use another method to use cookies? _Who ASP .Net 7 09-18-2008 07:49 PM
RAM based cookies Mark ASP .Net 3 12-15-2005 09:57 PM
RAM based cookies Mark ASP .Net 1 12-13-2005 10:50 PM
Looking for a VHDL or Verilog RAM Model that modles Common RAM Faults Robert Posey VHDL 0 11-26-2003 07:50 PM
Mixing SDR Ram with DDR Ram? Daz Computer Support 2 09-14-2003 03:28 PM



Advertisments