Page 2 of 2
Re: smart kid
Posted: Fri Jul 24, 2009 6:49 pm
by jackpf
Lol yeah... xD
Nah people say cookies aren't secure...but they are if you use them properly. Besides, sessions just create more load on the server...
But yeah, that's what I use atm and it works fine for me.
I've never been hacked using it. Oh well..except for that one time I was testing something out and forgot to change it back, allowing people to post without being logged in (when I was developing the ajax quick post thing)
http://jackpf.co.uk/index.php?action=fo ... 1#Post:785
:P
Re: smart kid
Posted: Wed Jul 29, 2009 7:55 pm
by Jonah Bron
I don't want to come across as dumb, but...
So, that's how you do a login thing. As surprisingly as it may seem, I've never made a login system. I understand the concept, but I hadn't taken the time to think about how to make sure they have the right cookie. And I've never researched it. The hash is the key. The one e-commerce website I've made didn't require an account
Thanks.
Re: smart kid
Posted: Wed Jul 29, 2009 8:00 pm
by Eran
Data from a cookie should be treated be the same as user input - it can't be trusted. Put unsensitive information there if you wish, however, information containing user privileges and identity must be kept in a session. No matter how clever you think your security scheme is, it can be broken. By allowing the user full access (read + write) to sensitive data you are leaving yourself wide open to attacks.
I've never been hacked using it.
No offense, but that's really not an indication of anything. Once you have something worth hacking for and people know about it, then you can be proud of your security system.
Re: smart kid
Posted: Wed Jul 29, 2009 8:58 pm
by Weirdan
pytrin wrote:No matter how clever you think your security scheme is, it can be broken.
I'd like to point that you've just made it look like you're saying any encryption scheme is useless. The point of encryption is to be able to hand sensitive data to someone you do not trust and order him to deliver it to someone who you do trust, and to be sure data was not read nor tampered with by untrusted party.
Re: smart kid
Posted: Thu Jul 30, 2009 2:48 am
by Eran
Strong encryptions made by experts is obviously not useless. Home-brewed solutions by web-developers, unless they are security experts, is probably very insecure. So yes, if you are using SSL encryption to secure your cookies then you can use them instead of sessions.
Re: smart kid
Posted: Thu Jul 30, 2009 3:15 am
by onion2k
jackpf wrote:Yeah...programming games would be <span style='color:blue' title='I'm naughty, are you naughty?'>smurf</span> cool.
Very long hours, very bad pay, and absolutely no job security
at all. It's a cool job, but it's definitely not a
good job.
Re: smart kid
Posted: Thu Jul 30, 2009 6:57 am
by jackpf
Jonah Bron wrote:The hash is the key.
Indeed

If you're not using sessions (which I'm not) then you need something to make sure people are who they say they are. In fact, you need to do so with sessions as well, due to session hijacking. I believe it's common practice to use people's browser's user agents to reduce the chances of sessions being stolen.
pytrin wrote:Data from a cookie should be treated be the same as user input - it can't be trusted.
Exactly - that's why the hashed cookie is so crucial.
Put unsensitive information there if you wish, however, information containing user privileges and identity must be kept in a session.
Not true - if someone messes with one of the cookies, it won't match with the hashed cookie. If they mess with the hashed cookie, it won't match the other cookies, so the next page they visit, they get logged out.
I've never been hacked using it.
No offense, but that's really not an indication of anything. Once you have something worth hacking for and people know about it, then you can be proud of your security system.
I completely agree. But as I said, I'm only 16...I haven't really coded anything "important" as yet. If I were to get hacked, it wouldn't be a huge deal - it's not like I have anything interesting in my database. But having not been hacked is better than having been hacked, no matter how big your site is
I don't mean this in a sarcastic way, but I'd be very happy to let you have a go at hacking my cookies. I'd be interested to see if anyone is able to do so. (URL is in my signature)
onion2k wrote:jackpf wrote:Yeah...programming games would be <span style='color:blue' title='I'm naughty, are you naughty?'>smurf</span> cool.
Very long hours, very bad pay, and absolutely no job security
at all. It's a cool job, but it's definitely not a
good job.
And yeah. But yes, very cool

Re: smart kid
Posted: Thu Jul 30, 2009 7:26 am
by Eran
Not true - if someone messes with one of the cookies, it won't match with the hashed cookie. If they mess with the hashed cookie, it won't match the other cookies, so the next page they visit, they get logged out.
As long as all the data is in cookies, they can all be tampered with. That is the nature of cookies
I don't mean this in a sarcastic way, but I'd be very happy to let you have a go at hacking my cookies. I'd be interested to see if anyone is able to do so. (URL is in my signature)
I'm not a hacker or a security expert. I know just enough to know that I better leave security to experts and follow proven conventions than try to come up with my own solutions. I have dealt with plenty of sensitive systems, mostly fiscal and confidential information that needed to be secure, so I know the basics but don't try to innovate. This is a field where it's better to be safe than creative.
If you'd really like to test your system, there are plenty of hacking forums that would gladly give it a go.
Re: smart kid
Posted: Thu Jul 30, 2009 7:30 am
by jackpf
True, they can mess with the cookies.
But, if they do, they won't match up! Unless they know what's in the hashed cookie (which they don't) and then they'd need to know the value of the cookie for whoever's account they're trying to hack, which would be impossible.
I agree with you that cookies can be messed with, but I don't think it's possible to do so successfully the way I'm validating them.
I might have a look around some hacking forums though, thanks for the suggestion.
Re: smart kid
Posted: Thu Jul 30, 2009 11:48 am
by Eran
But, if they do, they won't match up! Unless they know what's in the hashed cookie (which they don't) and then they'd need to know the value of the cookie for whoever's account they're trying to hack, which would be impossible.
You're assuming that people won't be able to figure out how you encrypted your cookies. There are methods to extract such information, and once they know how you did it they can attack it. Unless you have very strong encryption, it will be broken - security through obscurity is a very weak measure.
Another thing is that you are not only compromising yourself by putting sensitive/personal data on users in their cookies, but also compromising the users themselves. Attacks such as XSS and CSRF can be used to steal the users cookies and any information contained inside.
It's not a coincidence most experts condone the use of sessions as the primary method for persisting sensitive data.
Re: smart kid
Posted: Thu Jul 30, 2009 12:06 pm
by jackpf
True...but from what I understand, rainbow tables are the only realistic way of "unhashing" data, without a super-computer.
I doubt anyone will be able to "unhash" the cookies...
And true. But the same goes for sessions - if you can steal a cookie, you can steal a session.
Re: smart kid
Posted: Thu Jul 30, 2009 2:15 pm
by Eran
if you can steal a cookie, you can steal a session
That's partially true, however a session cookie does not contain the sensitive data itself. Hopefully more safeguards are in place to prevent session fixation and theft
Re: smart kid
Posted: Thu Jul 30, 2009 2:21 pm
by jackpf
True...
But I'm on shared hosting, and from what I've heard it's pretty easy to view other domain's sessions that are on the same server. There is the option of storing them in the database...but then I'd have the extra load on a site that already relies heavily on the db.
Re: smart kid
Posted: Thu Jul 30, 2009 2:24 pm
by Eran
I'm on shared hosting
oh.. makes sense now
shared hosting in general is a security risk. we work only with VPS or dedicated servers
Re: smart kid
Posted: Thu Jul 30, 2009 2:28 pm
by jackpf
pytrin wrote:we work only with VPS or dedicated servers
Well aren't you the lucky one
I think both can be equally secure, and insecure. It's just down to how they're implemented. But yes, I agree that in general, sessions are, in most cases, more secure.