NYCPHP Meetup

NYPHP.org

[nycphp-talk] Cookie

Michele Waldman mmwaldman at nyc.rr.com
Thu Mar 19 14:12:45 EDT 2009 

I don't use cookies to authenticate.  I'm using ht_access
mod_auth_digest/msyql.

I made like a million posts about this.

I just use the cookies to determine if I display a link.  If they haven't
already authenticated and forge the cookies to display the link, they'll get
"access denied".

But thanks anyway.

Michele
-----Original Message-----
From: talk-bounces at lists.nyphp.org [mailto:talk-bounces at lists.nyphp.org] On
Behalf Of Paul A Houle
Sent: Thursday, March 19, 2009 10:30 AM
To: NYPHP Talk
Subject: Re: [nycphp-talk] Cookie

David Mintz wrote:
>
> Moreover, are you sure you want to rely on cookies for testing whether 
> a user is authenticated?
    Uh,  don't Google,  Facebook,  Yahoo,  and most of the other 
top-1000 sites use cookies to tell if users are authenticated?  When's 
the last time you logged onto a public-facing site using http basic?

    The trouble with what Michelle is doing is that her cookies are 
easily forged.  If,  for instance,  the cookie says

isLoggedInAs: michelle

    somebody can try logging in as somebody else by just changing the 
text of the cookie.  You'd do a little better if you did

usernameAndPassword: michelle:somepasswordIpicked

    in that case,  you'd need to know somebody's password to forge a 
token.  Both of these schemes have the problem that somebody with a 
packet sniffer or token sniffer could steal tokens.  You can make a 
system ~resistant~ to that using the methods in the following paper:

http://pdos.csail.mit.edu/papers/webauth:sec10.pdf

    (it seems to be the greatest CS paper that nobody has ever read)

Note that I say ~resistant~ because somebody can steal a token,  
however,  a timeout value built into the cookie means that an attacker 
has to act fast.  The cookie also contains a session id which can be 
invalidated,  which also limits the range of the attack.

Packet sniffing attacks on web authentication systems don't seem to be 
that common in the wild.  If you're worried about them,  the right 
answer is to use SSL.  It can be a pain to get an SSL certificate and 
install it,  but you'd spend more on engineering time to build a system 
that looks secure (but probably isn't,)  even if you were hiring 
Oompa-Loompas to do your design and coding.

_______________________________________________
New York PHP User Group Community Talk Mailing List
http://lists.nyphp.org/mailman/listinfo/talk

http://www.nyphp.org/show_participation.php

More information about the talk mailing list