Page 1 of 1

Another Access control theory

Posted: Mon Jul 19, 2004 2:55 pm
by turbo2ltr
Sorry, no neat flow charts here.. :)

My site really doesn't need crazy security. It's a site similar to epinons in functionality.

Right now, I store users in the db. When a user logs in, a random unique key is generated and the key is stored as a cookie as well as in the DB under the users "login status". If they have "remember me" checked, the cookie is good for a year, otherwise it's only good for the browser life.

I check the cookie key against the value in the DB any time the user tries to do something that needs auth (like post a review).

I would like to know what are the security holes in this model. The only thing I could think of is if someone stole the cookie, they could basically get the users who's cookie it is access level.

1: Is there a fix for this? I couldn't think of any without having something unique on the client side.
2: how big a whole is this? How easy is it to steal a cookie off someone's computer?
3: Are there any other holes?
4: How does this level of security compare to sessions? I couldn't think of any real difference since isn't the session ID stored in a cookie? (or worse yet, in the url..)


Thanks,
Mike

Posted: Mon Jul 19, 2004 2:58 pm
by feyd
yeah.. it's the same risk as sessions.. so secure enough for most things..

Posted: Mon Jul 19, 2004 3:01 pm
by turbo2ltr
Feyd, how do you get any work done since you are always here? :)

Thanks for the quick response..you didn't even give me tome to edit my post. :?

Posted: Mon Jul 19, 2004 4:00 pm
by d3ad1ysp0rk
turbo2ltr wrote:Feyd, how do you get any work done since you are always here? :)
He doesn't sleep.