tags:

views:

224

answers:

3
+2  Q: 

Is encrypting session id (or other authenticate value) in cookie useful at all?

In web development, when session state is enabled, a session id is stored in cookie(in cookieless mode, query string will be used instead). In asp.net, the session id is encrypted automatically. There are plenty of topics on the internet regarding how you should encrypt your cookie, including session id. I can understand why you want to encrypt private info such as DOB, but any private info should not be stored in cookie at first place. So for other cookie values such as session id, what is the purpose encryption? Does it add security at all? no matter how you secure it, it will be sent back to server for decryption.

Be be more specific,

For authentication purpose,

  1. turn off session, i don't want to deal with session time out any more
  2. store some sort of id value in the cookie,
  3. on the server side, check if the id value exists and matches, if it is, authenticate user.
  4. let the cookie value expire when browser session is ended, this way.

vs

Asp.net form authentication mechanism (it relies on session or session id, i think)

does latter one offer better security?

+2  A: 

I think what the "you should always encrypt your data" is referring to is to use SSL in your connections using a properly signed certificate. This will encrypt the whole communication between client and server.

I can't see any other use in otherwise additionally encrypting the session ID (which is already a very randomly generated ID in the first place).

Pekka  2010-05-15 15:04:22
+6  A: 

Attacks on sessions like Session Hijacking aim for a valid session ID. If you now would encrypt the session ID, attackers would simply aim for the encrypted session ID and you wouldn’t have any advantage. So encrypting the session ID is useless. Remember that the session ID is just a random value that is used to identify a session. Attackers don’t need to know if that random value has some specific meaning; they just need to know that random value.

If you want to secure your session, use HTTPS to encrypt the whole HTTP communication via SSL and set the cookies only with the flags

  • secure to only allow the cookie to be send via HTTPS and
  • HttpOnly to forbid local access via JavaScript.
Gumbo  2010-05-15 15:09:04
+1 Damn you Gumbo! I was going to say https and HttpOnly cookies.
Rook  2010-05-15 15:59:45
Thanks. https Makes communication secure, which I know. But httponly cookie is very interesting , will investigate.
Ji  2010-05-15 16:16:11
A: 

Encrypting random things will get you nowhere...

Longpoke  2010-05-15 15:11:45

related questions

Is it better to create Model classes, or just stick with generic database utility class?
What are effective options for embedding video in an ASP.NET web site?
Visual Studio 2008 debugger already attached work-around
Tracking state using ASP.NET AJAX / ICallbackEventHandler
ASP.NET Display SVN Revision Number
ASP.NET URL Rewriting
How can I change the background of a masterpage from the code behind of a content page?
Easy way to AJAX WebControls
How do I define custom web.config sections with potential child elements and attributes for the properties?
ASP.NET MVC "CRUD" Database Sample
Are Multiple DataContext classes ever appropriate?
How to RedirectToAction in ASP.NET MVC without losing request data
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP.NET built in user profile, Vs old stile user class/tables
What's a good book for learning ASP?
Bandwith throttling in IIS 6 by IP Address
ASP .Net Custom Client-Side Validation
How to get the value of built, encoded ViewState?
Decent, simple, GIS/mapping component for ASP.NET?
Checklist for IIS 6/ASP.NET Windows Authentication?
How to write to Web.Config in Medium Trust ?
ASP.NET, Visual Studio and Subversion - how to integrate?
Floating Point Number parsing: Is there a Catch All algorithm?
How do I sync the SVN revision number with my ASP.NET web site?
ASP.NET Site Maps