It definitely doesn't matter if it is encrypted or not. Just think about what happens when you read a cookie. Set a cookie, lets say a userid. In plain text, the userid might be 1000. When my application reads the cookie to find the users id, it asks the browser for the userid cookie, the browser hands me back the value of whatever is contained in that cookie. In plain text, it hands me back 1000. I check it against my database or whatever, see that 1000 corresponds to user Bob and say, oh, this is Bob.
Now think about the situation where the cookie is an encrypted value. The cookie is still userid, but instead of 1000, the value is some sort of cryptographic hash of 1000. Lots of options for how to do the hash, but lets say that the outcome of the hash of 1000 is XXYHDG. That's what gets set in the cookie. The application comes along and asks the browser for the userid cookie. Browser reads the cookie and reports back to the app that the value is XXYHDG. Now your application looks up XXYHDG and says, oh, this matches up with Bob and his userid of 1000. Therefore it presumes you are Bob. If you copy that "encrypted" cookie over to another machine, the same exact process happens. The person doing the copy of the cookie doesn't care if Bob's userid is 1000 or XXYHDG. That information does them no good. They only care that your application will take that information and decide that they are Bob. Once your application decides that the person is Bob, they are in the clear. The actual value of the cookie is meaningless to them, only the function it serves in your authentication system. Hope that helps explain the situation a bit better. It obviously raises a number of very good questions, like, well, what are we supposed to do then? But there are a number of good resources out there on how to secure your web applications. Bottom line though, cookies are not secure and they should not be used as the primary method of authentication if you care about the applications security. Judah On Mon, Sep 22, 2008 at 7:45 PM, Al Musella, DPM <[EMAIL PROTECTED]>wrote: > Dave, > That is one of the scariest things I ever read :) > Heath - If I am reading this correctly, encrypting the cookie > doesn't matter. They can just get your encrypted cookie and use it > as is, they do not need to unencrypt it. > > > > >Thanks Dave, > > > >Do you think encrypting the cookie values would be acceptable way of > >securing the session? > > > >Heath > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:312956 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
