Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Encrypted cookies

from [Orlin Gueorguiev] Network Security [Permanent Link]
Subject: Re: Encrypted cookies
Date: Fri, 11 Jan 2008 01:17:35 +0100 
Hi Allen,

ÐÐ Thursday 10 January 2008 22:02:01 Brokken, Allen P. ÐÐÐÐÑÐ:

Somebody here is developing a Web application that requires user logins,
but that is unable to store session information on the server (don't ask
me why, it's a long story). So here's what they propose: to take the
username, hash of the password, and date the user logged in, encrypt
them with a strong encryption algorithm, and store them in a cookie
(along with a hash to ensure integrity).

I am currently in a simiral position. I have to write an 
authentication/authorization program and to present my work J have to make a 
few example pages...


My question is, assuming a proper encryption algorithm/eky are chosen,
can anybody think of a problem that this will create that sessions don't
already have (namely, replay attacks)?

I have always loved taking a different angle. Having a cryptographic cookie...  
means that we are having a token, which can be used for authentication for a 
specific domain and time. Doesn't that mean that we have a key for a specific 
domain and time? (the replay attacks are based somewhat on that logic, 
right?) So is an approach that creates a static token a real security 
sollution? May be a more dynamic "cookie" can be the solution. A cookie that 
works with a CHAP based sollution (what I think) somewhat more secure. 
Offcourse there is the productivity problem...

Search in google for: session security with coockies. It will help you a lot.
A nice link as well:
http://www.technicalinfo.net/papers/WebBasedSessionManagement.html

Regards,
Orlin

-------------------------------------------------------------------------
Sponsored by: Watchfire 
Methodologies & Tools for Web Application Security Assessment 
With the rapid rise in the number and types of security threats, web 
application security assessments should be considered a crucial phase in the 
development of any web application. What methodology should be followed? What 
tools can accelerate the assessment process? Download this Whitepaper today! 

https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
-------------------------------------------------------------------------
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Fw: Re: Encrypted cookies, Rico Secada
Next by Date:  Re: Encrypted cookies, Andy Steingruebl
Previous by Thread:  RE: Encrypted cookies, Brokken, Allen P.
Next by Thread:  Re: Encrypted cookies, Rico Secada
Indexes:  [Date] [Thread] [Top] [All Lists]