I am not sure if I should post this on it security or / stackoverflow because I am concerned about security and performance.
I am trying to find a reliable source for cookie management. I read though OWASP so i roughly know what can be dangerous.
But I need to authenticate my users with cookies. Is there a complete step by step guide?
What I did:
-
generate a random and unique string.
-
associate the random string with a user in my cache rndstring -> user
-
create a secure and signed cookie. value= hash(rndstring+secret)|rndstring
-
if the user comes back, I check if the hashes matches, and if the rndstring is in my cache.
-
if yes get the user.
I think my approach is flawed because I made it by myself.
Another problem would be that I safe the user object from the db in my cache. If the user updates his profile I would also have to update the cache.
I am using java with the play2 framework + mongoDB.
What resources can you recommend me?
I think this is a question for Security StackExchange and I note that you’ve asked similar questions there, recently with an excellent answer from DW. There are plenty of folk on the security.stackexchange.com forum who’ll critique your methodology.
I personally wouldn’t recommend developing your own session management, in fact I’d advise against it. The “play framework” session management has been reviewed by many folks, whereas yours hasn’t and can easily have vulnerabilities that you’ve simply missed. I would use the built-in session management provided by your chosen programming framework. Have you read the play documentation?
In terms of resources, you should check out the Secure Development Principles from David Rook – here and here.
If you change your mind using cookies, you could look at web keys,, which is a method for inserting an unguessable token into a URL.
When reading Owasp, did you read the latest Session Management cheatsheet? I think that a lot of your questions are answered there.
One final resource is the SANS Top 25 Software Errors.