www.webdeveloper.com
Results 1 to 2 of 2

Thread: Permanent cookies security problems

Hybrid View

  1. #1
    Join Date
    May 2011
    Posts
    1

    Permanent cookies security problems

    Hello,
    I would like to discuss about security problems connected with the use of permanent cookies. Actually this problem involves several aspects of web development (client and server side, site management and business, privacy and security, strategy and design) but since the root cause is the use of cookies and cross-site scripting vulnerabilities, I guess and hope this is the most appropriate forum to post.

    One of the most comfortable things on the Internet is the opportunity to enter our protected panels around the world without typing each time our username or password, because it saves time, it is not annoying, we forgot the password for that site, do not need to check our password manager to retrieve login details for every site we sign up or we are lazy and so on.

    Everybody knows this can be obtained by use of a permanent cookie inside visitor's browser, as well as that relying only on a cookie it is not a good idea about security, because of the easiness to steal people's cookies by use of cross-site scripting on poorly designed websites, even if ours does not fall in that category.

    On many websites, forums or books they say that a double check on cookie and IP address of the calling visitor should be enough to guarantee a certain level of security. I am concerned about this, as I think it is useless for private visitors and potentially dangerous for company's employees.

    Private surfers are usually assigned with a dynamic IP address by theirs connection providers each time they connect to the Internet, so the possibility to receive consecutively the same IP address is very low. Because of this, the double check will very probably fail and visitors will need to re-login.

    On the other side, company employees connect from behind an intranet firewall, which externally identifies itself with the same static IP address and internally redirect the traffic dynamically thanks to IP masquerading and internal DHCP. This means that any other computer than mine behind the firewall may act as mine, if they take my cookies, and the double security check will miserably fail.

    If your website targets only private visitors without money or very sensible data involved by them, you can bypass those security checks using only cookies and relying on a very extended privacy policy in order to not be considered liable of anything (as Facebook and others large sites do). But if you want to provide a payed service, you cannot escape such worries, because customers will ask reason and liability of their loss.

    Finally, if you had the patience to read until now, the question I would like to propose is: which kind of other security checks (other than cookies and IP address) can be done to ensure the identity of the visitor connecting to the website? Or we are doomed to oblige our visitors to provide login details each time they connect in order to avoid potential security problems?

    Thanks in advance for your replies.
    Roberto

  2. #2
    Join Date
    Jul 2008
    Location
    urbana, il
    Posts
    2,787
    most browsers offer to remember your passwords these days.
    that feature doesn't use cookies.

    if you must, at least use localStorage instead of document.cookie to avoid packet sniffing revelation of cookie data.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
HTML5 Development Center



Recent Articles