Is there any problem with security if I store userid,profileId,username and other such kind information in cookie.
views:
41answers:
2
+1
A:
Yes there will be an enormous security problem doing this. If you don't encrypt the cookie anyone could replace the username you've stored with say for example Administrator (usually id=1) and send a request to the web server.
Darin Dimitrov
2010-10-05 06:25:31
Depends on how he is using the cookies.
cherouvim
2010-10-05 06:26:35
@cherouvim, that's correct but I assume that if he wants to store the userid and profileid in the cookie its to be able to identify the user on the server.
Darin Dimitrov
2010-10-05 06:27:55
I think you can encrypt all userdata but the username and save only username and key on your server. This way you can save space on your server and noone can maipulate the userdata. (If someone changes the username the key won't fit.)
kasten
2010-10-05 06:29:46
@kasten, all this are some hypothetical scenarios. The OP asked if there's a security problem storing userid,profileid,username inside a cookie without mentioning anything about encryption (if he did he should also mention what algorithm should be used, etc.., remember the famous Padding Oracle Attack) and without further information it seems that there's a big security risk.
Darin Dimitrov
2010-10-05 06:32:21
A:
This information need very often,and instead of do Sql query every time I can one time get this information from Sql,store it in cookie(when user login) and then get it from cookie.I think it will be more efficient.
Yes, you can do that BUT ONLY IF IT IS NOT CRITICAL THAT THIS DATA BE CORRECT.
The user can edit his own cookie.
If he wants to change his display name to something else, or get a different background picture, probably no problem.
If he can impersonate other users, big problem.
So, to be on the safe side, better not go down this road.
If you need performance improvements, consider server-side caching solutions instead.
Thilo
2010-10-05 06:49:04