Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



WebApp Sec: Re: Encrypted cookies

Re: Encrypted cookies

From: Orlin Gueorguiev <orlin_at_baturov.com>
Date: Fri, 11 Jan 2008 01:17:35 +0100

Hi Allen,

На Thursday 10 January 2008 22:02:01 Brokken, Allen P. написа:
> Somebody here is developing a Web application that requires user logins,
> but that is unable to store session information on the server (don't ask
> me why, it's a long story). So here's what they propose: to take the
> username, hash of the password, and date the user logged in, encrypt
> them with a strong encryption algorithm, and store them in a cookie
> (along with a hash to ensure integrity).
I am currently in a simiral position. I have to write an
authentication/authorization program and to present my work J have to make a
few example pages...

> My question is, assuming a proper encryption algorithm/eky are chosen,
> can anybody think of a problem that this will create that sessions don't
> already have (namely, replay attacks)?
I have always loved taking a different angle. Having a cryptographic cookie...
means that we are having a token, which can be used for authentication for a
specific domain and time. Doesn't that mean that we have a key for a specific
domain and time? (the replay attacks are based somewhat on that logic,
right?) So is an approach that creates a static token a real security
sollution? May be a more dynamic "cookie" can be the solution. A cookie that
works with a CHAP based sollution (what I think) somewhat more secure.
Offcourse there is the productivity problem...

Search in google for: session security with coockies. It will help you a lot.
A nice link as well:
http://www.technicalinfo.net/papers/WebBasedSessionManagement.html

Regards,
Orlin

-------------------------------------------------------------------------
Sponsored by: Watchfire
Methodologies & Tools for Web Application Security Assessment
With the rapid rise in the number and types of security threats, web application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this Whitepaper today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
-------------------------------------------------------------------------
Received on Jan 11 2008

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos