Christian Gilmore wrote:
Hi, Michael. Let me try again with more specifics. I'm required to mash my service into another organization's authentication scheme, ditching my own secure methods for their cross-domain unencrypted, unsigned cookie.
[...]
It sounds like you are already aware that it lacks security. The important thing to remember about cookies is that unless you use some kind of cryptographic signature to verify them you have absolutely no idea if the cookie came from your site or not. People can very easilly put whatever they want in a cookie to send to your site usingone of the thousands of HTTP testing programs and libraries, and if you use that cookie as a key to a data structure they may be able to gain access to other people's data.On a side note, if anyone finds the proposed design lacking for security or anything else, please let me know.
Even if you use a crypto signature they can still sniff someone else's legit cookie off the wire, but at least you can prevent them from tampering with the contents of the cookie.
"Never trust the client."
- Perrin
