[unisog] Using cookies for authentication

hermit921 hermit921 at yahoo.com
Fri Mar 7 16:53:16 GMT 2003

I would expect that your system check the issue time of the cookie (part of 
the hash, right?) and refuse to honor it if the time is too old.


At 01:26 PM 3/7/2003 +1300, Russell Fulton wrote:
>Hi All,
>         We are currently looking at a new web based application that uses
>cookies for authentication.  The cookies contains amongst other things,
>userid, issue time, the issuing system ID and a SHA1 hash of the
>contents (and a secret) to prevent one changing the cookie.  All
>exchanges of the cookies over the network are via SSL and the cookie
>also had flags that tell the browser not to write it to disk.
>So far as I can tell if an attacker can steal a cookie then they can use
>it to impersonate the cookie's owner for the lifetime of the cookie.
>We are try to do a risk analysis of this system and so I am trying to
>figure out how easy (or otherwise) it is to steal memory based cookies
>from systems running common browsers (mostly IE, some old :( ).
>Two schemes that occur to me are 1/ to tamper with the browser (so it
>writes the cookie to disk or better still sends it directly to the
>attacker) or 2/ to introduce malware on the the user's computer that
>will search for the cookie in memory and send it to the attacker.  If an
>attacker has the ability to do either of these things then they could
>probably also install keyboard loggers and grab the users credentials
>directly -- something that affects almost all authentication systems so
>I am ignoring this for this particular exercise.
>What I am really focusing on is the risk of browser bugs and XSS bugs
>that might allow the cookie to be stolen.  We must assume that the
>attacker may have a web server under their control in the same domain as
>the cookie and that they may be able to induce users to visit the site.
>Any thoughts or references gratefully received.
>Russell Fulton, Computer and Network Security Officer
>The University of Auckland,  New Zealand
>"It aint necessarily so"  - Gershwin

More information about the unisog mailing list