The question says pretty much everything. My point is, is the user able to change his cookie’s values in order to appear “logged”, when he’s not really logged?
Share
Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
The question says pretty much everything. My point is, is the user able to change his cookie’s values in order to appear “logged”, when he’s not really logged?
Cookies aren’t secure. As others here have pointed out, you shouldn’t trust any data received from the client, period. That said, cookies are often used to store Session IDs for logged in users, which is sort of what you’re asking.
Signing your cookies will help you detect if they’ve been tampered with on the client. Basically, you create a HMAC of the keys/values and a secret key, known only to the server. On each request, you re-compute the MAC: if it matches the previous value, all is well; if not, you reject the request.
For more sensitive data, you can optionally encrypt the cookies. Most web frameworks will allow you transparently do these using some kind of “middleware” external to your application code, so the signing/validation and encryption/decryption happens for each request.
Also, you should know that simply securing your cookies doesn’t guarantee, er…security 🙂 You might still be vulnerable to Cross-site Request Forgeries.
For more information on cookies, check out this article.