Another Access control theory
Posted: Mon Jul 19, 2004 2:55 pm
Sorry, no neat flow charts here..
My site really doesn't need crazy security. It's a site similar to epinons in functionality.
Right now, I store users in the db. When a user logs in, a random unique key is generated and the key is stored as a cookie as well as in the DB under the users "login status". If they have "remember me" checked, the cookie is good for a year, otherwise it's only good for the browser life.
I check the cookie key against the value in the DB any time the user tries to do something that needs auth (like post a review).
I would like to know what are the security holes in this model. The only thing I could think of is if someone stole the cookie, they could basically get the users who's cookie it is access level.
1: Is there a fix for this? I couldn't think of any without having something unique on the client side.
2: how big a whole is this? How easy is it to steal a cookie off someone's computer?
3: Are there any other holes?
4: How does this level of security compare to sessions? I couldn't think of any real difference since isn't the session ID stored in a cookie? (or worse yet, in the url..)
Thanks,
Mike
My site really doesn't need crazy security. It's a site similar to epinons in functionality.
Right now, I store users in the db. When a user logs in, a random unique key is generated and the key is stored as a cookie as well as in the DB under the users "login status". If they have "remember me" checked, the cookie is good for a year, otherwise it's only good for the browser life.
I check the cookie key against the value in the DB any time the user tries to do something that needs auth (like post a review).
I would like to know what are the security holes in this model. The only thing I could think of is if someone stole the cookie, they could basically get the users who's cookie it is access level.
1: Is there a fix for this? I couldn't think of any without having something unique on the client side.
2: how big a whole is this? How easy is it to steal a cookie off someone's computer?
3: Are there any other holes?
4: How does this level of security compare to sessions? I couldn't think of any real difference since isn't the session ID stored in a cookie? (or worse yet, in the url..)
Thanks,
Mike