When you say "You know the secret key", are you referring to the site or the user?
Either way, how would this stop someone from copying the key and using it on another computer? Let's say the phrase "SecretKey" was the secret key.. So my cookie would look like this.. PVector:1/1/2010:7f98w7f9f98wfh9wh6f976h326 So... What is to stop someone from taking that cookie and using it on their machine? This doesn't seem to increase security at all. Barney Boisvert wrote: > create your cookie like this: > > #userId#:#expirationDate#:#hash(userId & expirationDate & yourSecretKey)# > > Then you can ensure the cookie came from you and that it hasn't been > manipulated, because only you can properly create the hash (because > only you know the secret key). > > cheers, > barneyb > > On Tue, Oct 28, 2008 at 1:10 PM, Phillip M. Vector > <[EMAIL PROTECTED]> wrote: >> So how do you suggest I validate the cookie without requiring User input >> (invalidating the purpose of the cookie in the first place)? >> >> Barney Boisvert wrote: >>> A spin attack is when you manipulate some form of captured user input. >>> It's usually a number, so the name comes from spinning a numeric >>> dial. Any user input, which includes cookies, has to be validated. >>> If you just trust the cookie, anyone who steals the cookie can >>> impersonate the user. Even encrypting it doesn't help, because the >>> attacker doesn't need the actual value, he just has to pass the >>> cookie. >>> >>> On Tue, Oct 28, 2008 at 12:46 PM, Phillip M. Vector >>> <[EMAIL PROTECTED]> wrote: >>>> Perhaps you weren't reading it clearly. Allow me to explain. >>>> >>>> I give the UserID (in UUID form and encrypted) out when someone hits my >>>> site. >>>> >>>> When a user has it, I load up that profile and they "log in" to the site. >>>> >>>> If a user doesn't have it, they need to log in with a username and >>>> password. >>>> >>>> I fail to see why this is insecure. How do you suggest that I >>>> authenticate that it's the correct person without any user input and >>>> allowing them to log into the site from more then one computer/ip? >>>> >>>> and I'm not falimiar with a spin attack. What is that? >>>> >>>> Barney Boisvert wrote: >>>>> WHAT!!!! You store a userId in a cookie and trust it???? Are you >>>>> mad??? Numbers are as inherently secure as UUIDs - they're both >>>>> simply identifiers. Authentication and authorization are where >>>>> security happens. If an application is susceptible to spin attacks >>>>> like that, I suppose that a UUID might assist to some degree, but much >>>>> better to just prevent the spin attack. >>>>> >>>>> cheers, >>>>> barneyb >>>>> >>>>> On Tue, Oct 28, 2008 at 12:30 PM, Phillip M. Vector >>>>> <[EMAIL PROTECTED]> wrote: >>>>>> Oh.. I have that as well. But take for example the UserID that I store >>>>>> as a cookie to someone else based on the UserID field. >>>>>> >>>>>> It's easy to change a cookie to a 1 and hope to get admin access. >>>>>> >>>>>> It's harder to figure out someone elses ID. :) >>>>>> >>>>>> and yeah, I can set it to the IP and so on, but honestly, using a UUID >>>>>> is allot more secure then auto increase. >>>>>> >>>>>> Matt Quackenbush wrote: >>>>>>> On Tue, Oct 28, 2008 at 2:13 PM, Phillip M. Vector wrote: >>>>>>> >>>>>>>> The only thing I've noticed in using that is that you can guess the >>>>>>>> next >>>>>>>> number. >>>>>>>> >>>>>>>> If you have a URL string of id set to 7, I've always tried manually >>>>>>>> typing in 6 and seeing what happens. Sometimes, 5. :) >>>>>>>> >>>>>>>> >>>>>>> That's what permission checking in your application is for. :-) >>>>>>> >>>>>>> >>>>>>> >>> >> > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:314491 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
