Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Correct cookie management

I am not sure if I should post this on it security or / stackoverflow because I am concerned about security and performance.

I am trying to find a reliable source for cookie management. I read though OWASP so i roughly know what can be dangerous.

But I need to authenticate my users with cookies. Is there a complete step by step guide?

What I did:

  • generate a random and unique string.

  • associate the random string with a user in my cache rndstring -> user

  • create a secure and signed cookie. value= hash(rndstring+secret)|rndstring

  • if the user comes back, I check if the hashes matches, and if the rndstring is in my cache.

  • if yes get the user.

I think my approach is flawed because I made it by myself.

Another problem would be that I safe the user object from the db in my cache. If the user updates his profile I would also have to update the cache.

I am using java with the play2 framework + mongoDB.

What resources can you recommend me?

like image 948
Maik Klein Avatar asked Aug 07 '12 08:08

Maik Klein


People also ask

What is a cookie management system?

A Cookie Consent Manager is a solution that manages a website's process of collecting and storing a user's consent for the collection of their data through cookies. Cookie consent is not only necessary for transparency and best practices but depending on local regulations, it might be required.

Why is cookie management important?

They enable you to use the main functions of our site. Without these Cookies, you will not be able to use our site correctly. These are Cookies which only concern the functioning of our site. You can oppose them and delete them via your browser settings, but your user experience is liable to be impaired.

What is a good cookie policy?

An effective cookies policy is designed to alert users of the existence of cookies and the fact that your website collects data in this manner. In addition, the best cookie policies describe how a user can manage their preferences and require affirmative consent.


1 Answers

I think this is a question for Security StackExchange and I note that you've asked similar questions there, recently with an excellent answer from DW. There are plenty of folk on the security.stackexchange.com forum who'll critique your methodology.

I personally wouldn't recommend developing your own session management, in fact I'd advise against it. The "play framework" session management has been reviewed by many folks, whereas yours hasn't and can easily have vulnerabilities that you've simply missed. I would use the built-in session management provided by your chosen programming framework. Have you read the play documentation?

In terms of resources, you should check out the Secure Development Principles from David Rook - here and here.

If you change your mind using cookies, you could look at web keys,, which is a method for inserting an unguessable token into a URL.

When reading Owasp, did you read the latest Session Management cheatsheet? I think that a lot of your questions are answered there.

One final resource is the SANS Top 25 Software Errors.

like image 101
Mark Hillick Avatar answered Oct 16 '22 03:10

Mark Hillick