Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



WebApp Sec: Re: Encrypted cookies

Re: Encrypted cookies

From: Rico Secada <coolzone_at_it.dk>
Date: Thu, 10 Jan 2008 23:18:08 +0100

On Thu, 10 Jan 2008 10:26:08 -0600
Ron <ronlists_at_skullsecurity.com> wrote:

> Somebody here is developing a Web application that requires user
> logins, but that is unable to store session information on the server
> (don't ask me why, it's a long story). So here's what they propose:

Sorry, I can't help but to probe into the matter. If "somebody" is
creating a web application that requires user login, then that somebody
needs some way to store information on some kind of database on the
server, usernames, passwords etc. You cannot store this information on
the client side for later validation.

> to take the username, hash of the password, and date the user logged
> in, encrypt them with a strong encryption algorithm, and store them
> in a cookie (along with a hash to ensure integrity).

"to take the username" if not stored on the server from where then?

What do you want to accomplish with this?

If you cannot store any information of any kind on the server, the
information that you store in a cookie is rather worthless.

Perhaps I have misunderstood you.

> My question is, assuming a proper encryption algorithm/eky are
> chosen, can anybody think of a problem that this will create that
> sessions don't already have (namely, replay attacks)?
>
> I've thought about this for over a day, and I can't think of any
> obvious problems, but I could be missing something.
>
> Thanks!
>
> Ron
>
> -------------------------------------------------------------------------
> Sponsored by: Watchfire
> Methodologies & Tools for Web Application Security Assessment
> With the rapid rise in the number and types of security threats, web
> application security assessments should be considered a crucial phase
> in the development of any web application. What methodology should be
> followed? What tools can accelerate the assessment process? Download
> this Whitepaper today!
>
> https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
> -------------------------------------------------------------------------
>
>

-------------------------------------------------------------------------
Sponsored by: Watchfire
Methodologies & Tools for Web Application Security Assessment
With the rapid rise in the number and types of security threats, web application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this Whitepaper today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
-------------------------------------------------------------------------
Received on Jan 10 2008

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos