Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Using sessions and cookies
5 views
Skip to first unread message
Victor Porton
Jan 15, 2013, 12:37:20 PM1/15/13
to
From
http://www.larryullman.com/2010/01/07/custom-authentication-using-the-yii-framework/:
Now, by default, Yii will use cookies for authentication. In most
situations that’s fine, but if anything of a sensitive nature is
being stored, you should use sessions instead. This would apply
to both the user’s ID value and their role. If either is
available through a cookie, it wouldn’t be hard for the user to
edit that cookie’s value in order to become someone else. So, to
start, let’s disable the potential for using cookies.
My question: Is it OK to use cookies for:
1. storing session IDs?
2. storing username and password?
Larry speaks as if using cookies and using sessions would contradict
to each other. But what about the combination (1. above) to use
cookies with session IDs?
--
Victor Porton - http://portonvictor.org
http://www.larryullman.com/2010/01/07/custom-authentication-using-the-yii-framework/:
Now, by default, Yii will use cookies for authentication. In most
situations that’s fine, but if anything of a sensitive nature is
being stored, you should use sessions instead. This would apply
to both the user’s ID value and their role. If either is
available through a cookie, it wouldn’t be hard for the user to
edit that cookie’s value in order to become someone else. So, to
start, let’s disable the potential for using cookies.
My question: Is it OK to use cookies for:
1. storing session IDs?
2. storing username and password?
Larry speaks as if using cookies and using sessions would contradict
to each other. But what about the combination (1. above) to use
cookies with session IDs?
--
Victor Porton - http://portonvictor.org
Bjoern Hoehrmann
Jan 15, 2013, 2:33:57 PM1/15/13
to
* Victor Porton wrote in comp.programming:
properties of various online authentication schemes. Note in particular
the preceding paragraph with the example of storing a "SHA1()-encrypted
version of the user’s password". SHA-1 is a cryptographic hash function
and no encryption scheme, and it is rather unsound to store bare hashes
of user passwords; even as an example it is rather misleading because it
does not offer any notable advantage over storing the plain password.
Further, I note that such tutorials are often written using the termino-
logy of the framework being employed, so I am not sure what is meant by
"Yii will use cookies for authentication" without further context.
>My question: Is it OK to use cookies for:
>1. storing session IDs?
>2. storing username and password?
The important thing to note is that cookies are sent over the wire all
the time, anything "stored in a cookie" is part of every request to the
server. If, for instance, an attacker can observe what the victim is
sending to the server, then sending username and password with each and
every request would make it a lot easier for the attacker to know them;
that can be more problematic than the attacker obtaining a session iden-
tifier because the user might use the password on other sites, or it may
be a long time before the user changes the password, while the session
identifier might expire quickly, so the attacker would have more time to
conduct an attack. So passwords in cookies are worse than session iden-
tifiers.
--
Björn Höhrmann · mailto:bjo...@hoehrmann.de · http://bjoern.hoehrmann.de
Am Badedeich 7 · Telefon: +49(0)160/4415681 · http://www.bjoernsworld.de
25899 Dagebüll · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/
>From
>http://www.larryullman.com/2010/01/07/custom-authentication-using-the-yii-framework/:
>
>Now, by default, Yii will use cookies for authentication. In most
>situations that’s fine, but if anything of a sensitive nature is
>being stored, you should use sessions instead. This would apply
>to both the user’s ID value and their role. If either is
>available through a cookie, it wouldn’t be hard for the user to
>edit that cookie’s value in order to become someone else. So, to
>start, let’s disable the potential for using cookies.
This does not seem to be a suitable resource to learn about the security
>http://www.larryullman.com/2010/01/07/custom-authentication-using-the-yii-framework/:
>
>Now, by default, Yii will use cookies for authentication. In most
>situations that’s fine, but if anything of a sensitive nature is
>being stored, you should use sessions instead. This would apply
>to both the user’s ID value and their role. If either is
>available through a cookie, it wouldn’t be hard for the user to
>edit that cookie’s value in order to become someone else. So, to
>start, let’s disable the potential for using cookies.
properties of various online authentication schemes. Note in particular
the preceding paragraph with the example of storing a "SHA1()-encrypted
version of the user’s password". SHA-1 is a cryptographic hash function
and no encryption scheme, and it is rather unsound to store bare hashes
of user passwords; even as an example it is rather misleading because it
does not offer any notable advantage over storing the plain password.
Further, I note that such tutorials are often written using the termino-
logy of the framework being employed, so I am not sure what is meant by
"Yii will use cookies for authentication" without further context.
>My question: Is it OK to use cookies for:
>1. storing session IDs?
>2. storing username and password?
the time, anything "stored in a cookie" is part of every request to the
server. If, for instance, an attacker can observe what the victim is
sending to the server, then sending username and password with each and
every request would make it a lot easier for the attacker to know them;
that can be more problematic than the attacker obtaining a session iden-
tifier because the user might use the password on other sites, or it may
be a long time before the user changes the password, while the session
identifier might expire quickly, so the attacker would have more time to
conduct an attack. So passwords in cookies are worse than session iden-
tifiers.
--
Björn Höhrmann · mailto:bjo...@hoehrmann.de · http://bjoern.hoehrmann.de
Am Badedeich 7 · Telefon: +49(0)160/4415681 · http://www.bjoernsworld.de
25899 Dagebüll · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/
bob
Jan 15, 2013, 4:07:12 PM1/15/13
to
I believe both 1 and 2 might be feasible if you just use HTTPS.
0 new messages