Does using cookies pose a threat to application security in asp.net ?

Question

Does using cookies pose a threat to application security in asp.net ? Or do we only use as a medium of saving user stats and non-vital information ? Got a little details of using cookies in asp.net from http://jai-on-asp.blogspot.com/2009/12/using-cookies-in-aspnet.html

Answer 1

Using cookies doesn't pose any threat to an application. It is the way you use them and the information you store that could be problematic. For example, you have to avoid storing sensitive information in cookies. If used for authentication, they should always be transmitted over a secure channel.

Answer 2

It depends on how you use them. Cookies should be treated as un-trusted input at all times, because they can be faked, edited or deleted. I've seen applications where a cookie contains something like admin=true which is obviously a very bad thing to do. If you're just dropping some guid and using that to track someone, but not caring if your results are accurate then that's fine.

If you want to make sure the cookie is semi-valid then you must add something like an HMAC to the cookie itself, which is what ASP.NET does with the forms authentication cookie (and the ViewState field). Of course this doesn't stop the user deleting the cookie, or copying a valid one from another user.

Answer 3

As long as you don't store critical information in the cookie (like the user's password) you should be fine.

Be careful with scenarios like that :

• You store the user's ID in a cookie

• You test against this ID to see if he's logged in

• The user changes the ID manually in the cookie (easy to do)

• The user gets access to another account

My point is that you have to keep in mind that the user can access a cookie and change it, so don't store anything you wouldn't want him to see.

Last thing, cookies often have a limited size so be careful: don't store too many information. If you store too much stuff (like a large object), you might end up breaking things.

Answer 4

IMO cookie is one of the best choice for some situations. For instance, storing the user's selected language. Also you can cache some sensitive information in the cookie as users' roles as ASP.NET Roles manager. But you should encrypt it without doubt and also you should set HttpCookie.HttpOnly = true to prevent javascript from accessing to cookie. Don't worry about supporting cookie in different browsers, size is premier (Browsers support only 4096bytes per cookie). Cookie is bandwidth killer, cause sends and receives within each request and response. Thus, you should use it in avarage. You can check if the client browser supports cookie as follows.

if (Request.Browser.Cookies) { // The browser supports cookie }

To learn more information about cookies, visit here.