Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



WebApp Sec: Re: Fw: Re: Encrypted cookies

Re: Fw: Re: Encrypted cookies

From: Ron <ronlists_at_skullsecurity.com>
Date: Tue, 15 Jan 2008 16:07:37 -0600

Rico Secada wrote:
> On Thu, 10 Jan 2008 10:26:08 -0600
> Ron <ronlists_at_skullsecurity.com> wrote:
>
>> Somebody here is developing a Web application that requires user
>> logins, but that is unable to store session information on the server
>> (don't ask me why, it's a long story). So here's what they propose:
>
> Sorry, I can't help but to probe into the matter. If "somebody" is
> creating a web application that requires user login, then that somebody
> needs some way to store information on some kind of database on the
> server, usernames, passwords etc. You cannot store this information on
> the client side for later validation.
>
>> to take the username, hash of the password, and date the user logged
>> in, encrypt them with a strong encryption algorithm, and store them
>> in a cookie (along with a hash to ensure integrity).
>
> "to take the username" if not stored on the server from where then?
>
> What do you want to accomplish with this?
>
> If you cannot store any information of any kind on the server, the
> information that you store in a cookie is rather worthless.
>
> Perhaps I have misunderstood you.

You're correct, the backend database stores that. However, that's all it
stores and changing the database isn't an option. And there is no
session functionality available.

So they are taking the username, password, and expiry time, encrypting
them, and putting them into the cookie. When the cookie is returned, it
decrypts the values, checks the username and password against the
database, and validates that it's still valid (ie, make sure the
username and password match, and that it's not expired yet).

Does that make sense?

Thanks to everybody who replied!

-------------------------------------------------------------------------
Sponsored by: Watchfire
Methodologies & Tools for Web Application Security Assessment
With the rapid rise in the number and types of security threats, web application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this Whitepaper today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
-------------------------------------------------------------------------
Received on Jan 15 2008

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos