Other ways of protecting cookies

views:

116

answers:

+2 Q:

Other ways of protecting cookies

I've been thinking a lot about this recently, and I wanted to know if anyone has thought of/implemented any intuitive ways of securing cookies from manipulation. I've always used the "sign it with a hash and check against the hash later" approach, but it doesn't strike me as a particularly brilliant way of going about it, and just like all good programmers I want to find a better way of doing it.

As for why cookies specifically, well, I don't use native sessions - I hate to touch the filesystem. Cookies are a really quick way of storing data for later, and even with things such as user authentication I'll chuck the user ID in the cookie, perhaps along with the username/email and a signature, as well as a random hash for good measure.

What clever ways have you used to secure your cookie data?

+1 A:

With hashing you need to be very careful that you have included a salt, otherwise it can be trivial to determine a matching hash.

Thus, to protect against accidents, it's often appropriate to also encrypt the cookie.

-- edit

You may also like to learn about 'HTTPOnly' cookies: http://www.owasp.org/index.php/HTTPOnly

Noon Silk 2009-08-24 00:23:44

+2 A:

Uh, you're storing the UserID in the cookie and giving the user access based on that value? You're asking for trouble. Server session based data implementations exist for a good security reason: Store a session identifier in the cookie and access the UserID from the record on the server where the client can't tamper with it.

Cookie security to protect against client tampering is pretty much a lost cause. Given enough time, someone will figure out how to crack it. Don't give clients that opportunity. Cookie security's only purpose is to make sure client's cookies aren't stolen.

Spencer Ruport 2009-08-24 00:33:16

Preventing tampering is actually quite a legitimate exercise, and not at all a lost cause. Cryptography is dedicated to this exercise.

Noon Silk 2009-08-24 00:52:45

I stand by my concept - the filesystem is horrible and I dislike native sessions. Anyway, this is how a lot of big websites do their authentication. Flickr and Yahoo both do this for a fact, and Rails and CodeIgniter sessions actually use cookies.It's a good way of passing around small chunks of data. If you sign it and encode it it's fine.

Jamie Rumbelow 2009-08-24 11:28:23

Signing the cookie with a HMAC is a perfectly reasonable way to do this. HMAC essentially rolls a secret key known only by your server into the hash, so even someone who knows the algorithm can't generate a HMAC that will be recognized as valid without knowing the key. Just using a plain old hash is trivially bypassable because the attacker can generate valid hashes of their own data, and all the "salt" in the ocean won't fix that.

Even if you used a session ID instead of storing meaningful values, you still would have to be careful that an attacker couldn't predict another valid session ID, and send that to you instead, thus hijacking the other user's session. I believe there was an actual exploit against Hotmail that worked this way.

Encrypting the cookie only helps you if there's something in there you don't want the user to see. Even worse, encryption without an HMAC gives a false sense of security because a cookie that is merely encrypted is still vulnerable to manipulation of the ciphertext to change parts of the plaintext.

So in summary, don't just hash it, use an HMAC!

Theran 2009-08-24 00:54:35

Theran: You can only change the ciphertext to change the plaintext if you know the key. If you go randomly changing bits of ciphertext, it will result in the cookie not being decrypted. You should not let someone brute-force this, to determine interesting things, but it's not exactly a relevant attack.

Noon Silk 2009-08-24 00:56:39

@silky, You can indeed manipulate the plaintext through the ciphertext without knowing the key. The reason is that for most block cipher modes of operation, changing one bit in the ciphertext changes a corresponding bit in the plaintext, and garbles one other block. By doing this cleverly, you can make the garbled block irrelevant and trick the server into doing what you want with the ungarbled blocks.

Theran 2009-08-24 01:02:49

I don't think it will be a bit-for-bit change, I would expect that the changes are propagated throughout the result. Regardless, though, what do you expect to achieve? The decrypted result will be rubbish. Anyway, interested to see references to examples of this being done.

Noon Silk 2009-08-24 01:13:20

The article's original location is 404ed, but http://www.securityfocus.com/blogs/2009 has a copy of an article by Thomas Ptacek that explains exactly this sort of situation. I think its true home was at http://www.matasano.com/log/1749/typing-the-letters-a-e-s-into-your-code-youre-doing-it-wrong/ in case it comes back.

Theran 2009-08-24 01:21:04

A good, helpful, answer. Thanks!

Jamie Rumbelow 2009-08-24 11:29:56

On the Security Now podcast (i forgot which episode), Steve Gibson talks about doing something like this and i think the system he recommended was to make the contents of the cookie a good hash, then make that hash a key in your local database where the value(s) is(are) all of the info that it needs to store.

RCIX 2009-08-24 01:14:14

ansaurus

tags:

views:

answers:

Other ways of protecting cookies

related questions