Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Is encrypting session id (or other authenticate value) in cookie useful at all?

Tags:

security

authentication

asp.net

cookies

session

In web development, when session state is enabled, a session id is stored in cookie(in cookieless mode, query string will be used instead). In asp.net, the session id is encrypted automatically. There are plenty of topics on the internet regarding how you should encrypt your cookie, including session id. I can understand why you want to encrypt private info such as DOB, but any private info should not be stored in cookie at first place. So for other cookie values such as session id, what is the purpose encryption? Does it add security at all? no matter how you secure it, it will be sent back to server for decryption.

Be be more specific,

For authentication purpose,

  1. turn off session, i don't want to deal with session time out any more
  2. store some sort of id value in the cookie,
  3. on the server side, check if the id value exists and matches, if it is, authenticate user.
  4. let the cookie value expire when browser session is ended, this way.

vs

Asp.net form authentication mechanism (it relies on session or session id, i think)

does latter one offer better security?

like image 339
JiJ Avatar asked May 15 '10 15:05

JiJ

People also ask

What is the difference between session ID cookies and encrypted cookies?

The difference is that session id cookies are in themselves meaningless because they do not represent any meaningful information, while the encrypted cookie is meaningless because the client does not possess the ability to decrypt the data.

What is the session authentication method?

The session authentication method is based on the concept of the ID being shared with the client through a cookie file, while the rest of the details are on the session file, stored on the server.

Why do cookies need to be encrypted?

If the cookie additionally includes a message authentication code or other anti-tampering measure, then an attacker cannot make changes to an encrypted cookie without invalidating it. Encrypting the cookie also keeps the user and others on the same computer from being able to see what information is being stored.

What is the difference between authentication and cookie-based authentication?

Authentication is the process of exchanging user credentials for a piece of unique identification. In cookie-based authentication, this unique identifier (cookie) is created on the server-side and sent to the browser.

2 Answers

Attacks on sessions like Session Hijacking aim for a valid session ID. If you now would encrypt the session ID, attackers would simply aim for the encrypted session ID and you wouldn’t have any advantage. So encrypting the session ID is useless. Remember that the session ID is just a random value that is used to identify a session. Attackers don’t need to know if that random value has some specific meaning; they just need to know that random value.

If you want to secure your session, use HTTPS to encrypt the whole HTTP communication via SSL and set the cookies only with the flags

  • secure to only allow the cookie to be send via HTTPS and
  • HttpOnly to forbid local access via JavaScript.
like image 154
Gumbo Avatar answered Oct 29 '22 20:10

Gumbo

I think what the "you should always encrypt your data" is referring to is to use SSL in your connections using a properly signed certificate. This will encrypt the whole communication between client and server.

I can't see any other use in otherwise additionally encrypting the session ID (which is already a very randomly generated ID in the first place).

like image 41
Pekka Avatar answered Oct 29 '22 20:10

Pekka
Sign in to Comment

Related questions

css :after overriding existing styles
How to mock Asp.net identity UserManager's CreateAsync method
ASP.NET Core: How to get remote IP address?
Getting to the query string (GET request array) inside a web service in .NET
What does an "Unable to validate data" exception in System.Web.Configuration.MachineKeySection.GetDecodedData indicate
ASP.NET: Shortest way to render DataTable to a string (HTML)?
asp.net literal control bgcolor
C#, FindControl [duplicate]
Is it possible to optimize ASP.NET WebForms to perform as fast as ASP.NET MVC?
How to switch IIS Developer Express to "Classic Mode"
Stop SQL query execution from .net Code
Mvc json response check for true/false
How to get string from url in ASP.NET webforms?
How to get all users in Role (Microsoft ASP.NET Identity EntityFramework 2.0.0-beta1)?
Filter GridView on TextBox's KeyPress event from code behind
ASP.net Inline Expression Issue
Storing connection strings in machine.config vs storing them in web.config
The timeout period elapsed prior to obtaining a connection from the pool
CryptographicException: Padding is invalid and cannot be removed and Validation of viewstate MAC failed
Cannot get IIS pickup directory

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!