Authentication Cookie

views:

124

answers:

Authentication Cookie

I'm writing a database authentication system for my web application which is wrriten in ASP.NET MVC. When someone authorize, it should save his username in cookies. Is it safe to just use HttpResponse.Cookies` for saving a cookie that its value is username? Wouldn't it forgeable?

Saving only the username... Is it the right and safe way? Or should I save the whole User object (if this actually possible)?

Thank you and sorry for my English.

+2 A:

No, saving the username is very insecure, because it can be easily faked. Here are my guidelines:

Use a token.
Hash the token when it is stored in the database.
Make the cookie HttpOnly.

Tokens can be generated by a CSPRNG to ensure that the auto-login cookie can not be faked.

Hashing the tokens in the database prevents user account stealing in the case that you database is compromised. (Remember, the token at this point is a password-equivalent.)

HTTP-Only cookies prevent XSS attacks that could potentially steal the cookie.

John Gietzen 2009-11-03 16:00:39

What's a token?

TTT 2009-11-03 16:01:26

A token is a randomly generated number or piece of text that is impossible to guess.

John Gietzen 2009-11-03 16:02:07

Thanks, but how can I make a cookie HttpOnly?

TTT 2009-11-03 16:04:29

Cookie['whatever'].HttpOnly = true;

John Gietzen 2009-11-03 16:04:59

oh, thank you very much.

TTT 2009-11-03 16:06:22

If you store the username in the cookie then its very easy for someone to change that.

A better approach would be to store a session id (which you have generated) in the cookie and hang things like the username off that in your server.

Andy 2009-11-03 16:01:15

The session id and it's username/user is should be saved in a database?

TTT 2009-11-03 16:03:38

Yes -- so you would use the session id as a key into a table which contains all the session related information you need, such as the user. Since you generated the id, probably in the form of a GUID, someone won't be able to fake another user's session by modifying the cookie value.

Andy 2009-11-03 16:08:57

+1 A:

No, saving the user name in a cookie to flag that the user it authorizes is not the right way, and it's definitely not safe.

It would be quite easy to edit the cookie to be someone else's user name, and voila! you are now authorized as that user.

Instead you should store some information in the cookie that is not specific to the user, but is specific to the user session. You could create a value from the browser string (scrambled in some way to make it less obvious) and store the value both in the cookie and in the session data on the server. When the user sends the next request, you can verify that the value comes from the same session and the same browser configuration.

It's of course not totally safe, as you can spoof both cookie data and browser string, but it's a lot safer than putting the user name in a cookie, and somwhat safer than only relying on the session id.

To get an authentication that is really safe, you have to use SSL.

Guffa 2009-11-03 16:13:17

Use the built-in forms authentication framework to handle the HTTP transport end of the world and avoid reinventing the wheel.

PS: before someone downvotes, remember that FormsAuthentication != using the SqlMembershipProvider.

Wyatt Barnett 2009-11-03 17:24:38

ansaurus

tags:

views:

answers:

Authentication Cookie

related questions