Using cookies for authentication
Krulewitch, Sean V
krulewit at myprivacy.iu.edu
Fri Mar 7 21:18:09 GMT 2003
Without smarts being on the browser itself you are going to need to
protect the cookie. Consider encrypting the cookie and include the IP
of the client (either in the cookie or in a cooresponding state store on
the server or servers).
Sean Krulewitch, Security Engineer, MCSE, MCP+I
IT Security Office, Office of the VP for Information Technology
For PGP Key: https://www.itso.iu.edu/staff/krulewit/
From: Russell Fulton [mailto:r.fulton at auckland.ac.nz]
Sent: Thursday, March 06, 2003 7:26 PM
To: unisog at sans.org
We are currently looking at a new web based application that
cookies for authentication. The cookies contains amongst other things,
userid, issue time, the issuing system ID and a SHA1 hash of the
contents (and a secret) to prevent one changing the cookie. All
exchanges of the cookies over the network are via SSL and the cookie
also had flags that tell the browser not to write it to disk.
So far as I can tell if an attacker can steal a cookie then they can use
it to impersonate the cookie's owner for the lifetime of the cookie.
We are try to do a risk analysis of this system and so I am trying to
figure out how easy (or otherwise) it is to steal memory based cookies
from systems running common browsers (mostly IE, some old :( ).
Two schemes that occur to me are 1/ to tamper with the browser (so it
writes the cookie to disk or better still sends it directly to the
attacker) or 2/ to introduce malware on the the user's computer that
will search for the cookie in memory and send it to the attacker. If an
attacker has the ability to do either of these things then they could
probably also install keyboard loggers and grab the users credentials
directly -- something that affects almost all authentication systems so
I am ignoring this for this particular exercise.
What I am really focusing on is the risk of browser bugs and XSS bugs
that might allow the cookie to be stolen. We must assume that the
attacker may have a web server under their control in the same domain as
the cookie and that they may be able to induce users to visit the site.
Any thoughts or references gratefully received.
Russell Fulton, Computer and Network Security Officer
The University of Auckland, New Zealand
"It aint necessarily so" - Gershwin
More information about the unisog