Vulnerability Development: Re: Cookies

[Denis Ducamp <Denis.Ducamp () HSC FR>]

On Tue, Aug 08, 2000 at 02:23:17PM -0400, Kev wrote:
> > In an http application : no with a buffer overflow but yes to access
> > application privileges.
> > . The more often, the cookie is used to remember the login with which you
> >   authenticated. Change that cookie and you are someone else :-( !
> > . Other times, that cookie is used to remember which part of the web site
> >   you may access : change that cookie and you may access anywhere :-( !
> >
> > Often the cookie is obfuscated with a pseudo cryptographic algorythm à la
> > xor using a short fixed length key.
> In one Web-accessible application I wrote, I did indeed put the authentication
> information in a cookie, but I also put an MD5 hash of the contents of the
> cookie appended to a secret that I placed in a configuration file, to prevent
> this very security problem.  I'm curious, though, if anyone can point out
> any problems with this approach?
Do you verify that :
. the cookie (before md5) isn't guessable. If the cookie mustn't be based
  only on constants (username, userid, fixed secret password). The better is
  to choose a random number at each authentification.
. a cookie generated for an IP A can't be used by an IP B ?
  Difficulty : if the user is behind a proxy that doesn't give the client IP
  then another client behind that proxy may use that cookie.
  Other data as client software and version may be part of verified data.
. when a cookie is generated for a user, that user doesn't have another
  cookie yet ?
. a cookie received by the server hasn't exceeded its time to live ?
  The user have to reauthenticate himself regularly during a session.
  The cookie must disapear when the client is closed.

Denis.

--
Denis.Ducamp () hsc fr -- Hervé Schauer Consultants -- http://www.hsc.fr/