Results 1 to 2 of 2

Thread: Permanent cookies security problems

Hybrid View

  1. #1
    Join Date
    May 2011

    Permanent cookies security problems

    I would like to discuss about security problems connected with the use of permanent cookies. Actually this problem involves several aspects of web development (client and server side, site management and business, privacy and security, strategy and design) but since the root cause is the use of cookies and cross-site scripting vulnerabilities, I guess and hope this is the most appropriate forum to post.

    One of the most comfortable things on the Internet is the opportunity to enter our protected panels around the world without typing each time our username or password, because it saves time, it is not annoying, we forgot the password for that site, do not need to check our password manager to retrieve login details for every site we sign up or we are lazy and so on.

    Everybody knows this can be obtained by use of a permanent cookie inside visitor's browser, as well as that relying only on a cookie it is not a good idea about security, because of the easiness to steal people's cookies by use of cross-site scripting on poorly designed websites, even if ours does not fall in that category.

    On many websites, forums or books they say that a double check on cookie and IP address of the calling visitor should be enough to guarantee a certain level of security. I am concerned about this, as I think it is useless for private visitors and potentially dangerous for company's employees.

    Private surfers are usually assigned with a dynamic IP address by theirs connection providers each time they connect to the Internet, so the possibility to receive consecutively the same IP address is very low. Because of this, the double check will very probably fail and visitors will need to re-login.

    On the other side, company employees connect from behind an intranet firewall, which externally identifies itself with the same static IP address and internally redirect the traffic dynamically thanks to IP masquerading and internal DHCP. This means that any other computer than mine behind the firewall may act as mine, if they take my cookies, and the double security check will miserably fail.

    If your website targets only private visitors without money or very sensible data involved by them, you can bypass those security checks using only cookies and relying on a very extended privacy policy in order to not be considered liable of anything (as Facebook and others large sites do). But if you want to provide a payed service, you cannot escape such worries, because customers will ask reason and liability of their loss.

    Finally, if you had the patience to read until now, the question I would like to propose is: which kind of other security checks (other than cookies and IP address) can be done to ensure the identity of the visitor connecting to the website? Or we are doomed to oblige our visitors to provide login details each time they connect in order to avoid potential security problems?

    Thanks in advance for your replies.

  2. #2
    Join Date
    Jul 2008
    urbana, il
    most browsers offer to remember your passwords these days.
    that feature doesn't use cookies.

    if you must, at least use localStorage instead of document.cookie to avoid packet sniffing revelation of cookie data.
    Create, Share, and Debug HTML pages and snippets with a cool new web app I helped create: pagedemos.com

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
HTML5 Development Center



X vBulletin 4.2.2 Debug Information

  • Page Generation 0.09532 seconds
  • Memory Usage 2,901KB
  • Queries Executed 13 (?)
More Information
Template Usage (29):
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_global_above_footer
  • (1)ad_global_below_navbar
  • (1)ad_global_header1
  • (1)ad_global_header2
  • (1)ad_navbar_below
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)headinclude_bottom
  • (2)memberaction_dropdown
  • (1)navbar
  • (4)navbar_link
  • (1)navbar_moderation
  • (1)navbar_noticebit
  • (1)navbar_tabs
  • (2)option
  • (2)postbit
  • (2)postbit_onlinestatus
  • (2)postbit_wrapper
  • (1)showthread_list
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available (6):
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files (27):
  • ./showthread.php
  • ./global.php
  • ./includes/class_bootstrap.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/functions_navigation.php
  • ./includes/class_friendly_url.php
  • ./includes/class_hook.php
  • ./includes/class_bootstrap_framework.php
  • ./vb/vb.php
  • ./vb/phrase.php
  • ./includes/functions_facebook.php
  • ./includes/functions_calendar.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_notice.php
  • ./includes/functions_threadedmode.php
  • ./packages/vbattach/attach.php
  • ./vb/types.php
  • ./vb/cache.php
  • ./vb/cache/db.php
  • ./vb/cache/observer/db.php
  • ./vb/cache/observer.php 

Hooks Called (72):
  • init_startup
  • friendlyurl_resolve_class
  • init_startup_session_setup_start
  • database_pre_fetch_array
  • database_post_fetch_array
  • init_startup_session_setup_complete
  • global_bootstrap_init_start
  • global_bootstrap_init_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • load_show_variables
  • load_forum_show_variables
  • global_state_check
  • global_bootstrap_complete
  • global_start
  • style_fetch
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • strip_bbcode
  • friendlyurl_clean_fragment
  • friendlyurl_geturl
  • forumjump
  • cache_templates
  • cache_templates_process
  • template_register_var
  • template_render_output
  • fetch_template_start
  • fetch_template_complete
  • parse_templates
  • fetch_musername
  • notices_check_start
  • notices_noticebit
  • process_templates_complete
  • friendlyurl_redirect_canonical
  • showthread_post_start
  • showthread_query_postids_threaded
  • showthread_threaded_construct_link
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • memberaction_dropdown
  • tag_fetchbit
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • build_navigation_data
  • build_navigation_array
  • check_navigation_permission
  • process_navigation_links_start
  • process_navigation_links_complete
  • set_navigation_menu_element
  • build_navigation_menudata
  • build_navigation_listdata
  • build_navigation_list
  • set_navigation_tab_main
  • set_navigation_tab_fallback
  • navigation_tab_complete
  • fb_like_button
  • showthread_complete
  • page_templates