|
WebApp Sec
mailing list archives
Encrypted cookies
From: Ron <ronlists () skullsecurity com>
Date: Thu, 10 Jan 2008 10:26:08 -0600
Somebody here is developing a Web application that requires user logins,
but that is unable to store session information on the server (don't ask
me why, it's a long story). So here's what they propose: to take the
username, hash of the password, and date the user logged in, encrypt
them with a strong encryption algorithm, and store them in a cookie
(along with a hash to ensure integrity).
My question is, assuming a proper encryption algorithm/eky are chosen,
can anybody think of a problem that this will create that sessions don't
already have (namely, replay attacks)?
I've thought about this for over a day, and I can't think of any obvious
problems, but I could be missing something.
Thanks!
Ron
-------------------------------------------------------------------------
Sponsored by: Watchfire
Methodologies & Tools for Web Application Security Assessment
With the rapid rise in the number and types of security threats, web application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this Whitepaper today!
https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
-------------------------------------------------------------------------
 By Date 
By Thread
Current thread:
- Encrypted cookies Ron (Jan 10)
|
Intro
