NYCPHP Meetup

NYPHP.org

[nycphp-talk] cookie authenticators

Michael B Allen ioplex at gmail.com
Mon Feb 2 14:11:17 EST 2009


On Mon, Feb 2, 2009 at 1:05 PM, Paul A Houle <paul at devonianfarm.com> wrote:
>   Note that sites like yahoo,  google,  amazon,  twitter,  ebay,  and digg
> don't use Basic Auth,  Digest Auth or any of the Auth systems built into the
> http standard.  They use the unofficial standard that's described in the
> following paper:
>
> http://pdos.csail.mit.edu/papers/webauth:sec10.pdf

This looks like a fun paper (the WSJ.com hack is forehead smacking
funny). But from looking at it briefly, I'm a little confused. It's
all about using cookie authenticators but it doesn't explain why one
would use cookie authenticators. My understanding is that cookie
authenticators are mostly only useful for allowing the authentication
state to persist across visits. Otherwise, you wouldn't need to use
cookies at all - you could just store the authenticator in the HTTP
session on the server. From a security perspective, cookies can be
sniffed just like session ids so there's not a great benefit there.
But the paper also has a section that says "do not use persistent
cookies" since another user on the system could copy the cookie and
gain access to your account but that would completely defeat the
purpose of using cookie authenticators as it would be easier to simply
use a server side authenticator.

It seems to me, if you want persistent authentication, cookie
authenticators must persist. And the only real benefit they provider
in terms of security is that session ids can be leaked in URLs whereas
cookies cannot (minus browser bugs that allow stealing cookies).

Are client side cookie authenticators really more *secure* than server
side session authenticators? Or do cookie authenticators actually
reduce security but are used anyway because persistent authentication
is a required user experience feature?

Mike

-- 
Michael B Allen
Java Active Directory Integration
http://www.ioplex.com/



More information about the talk mailing list