Making a secure login cookie

Question

I've recently read one of Jeff's articles about XSS and it got me thinking about how to better protect the login cookies in my home cooked authentication system.

Basically what I do now is this(note, everything is configurable and currently set to true):

     protected static string ComputeLoginHash(string passwordhash){
        StringBuilder sb=new StringBuilder();
        sb.Append(passwordhash);
        if(CookieUseIP){
            sb.Append(HttpContext.Current.Request.UserHostAddress);
        }
        if(CookieUseBase){
            sb.Append(HttpContext.Current.Request.MapPath("/"));
        }
        if(CookieUseBrowserInfo){
            sb.Append(HttpContext.Current.Request.UserAgent);
        }
        sb.Append(SiteName);
        return ComputeHash(sb.ToString());
    }

(note that passwordhash is made out of password, unique salt, and username).

Ok, so one of the questionable things I do is use the UserAgent string. Is there harm in doing this? Or browsers which will change their UserAgent string under normal operation(as in, without being updated)? My goal is basically for if an attacker gets a login cookie, for them to not be able to do anything with it. Would this help meet my goal or is it just overly cumbersome for the user? At the moment, the only info I store in the cookie plain text is the username.

Answer 1

First and foremost you should never write your own session handler. You are reinventing the wheel and it will be less secure.

If ComputeLoginHash() is producing a cookie value then you a big problem on your hands. An attacker can obtain the username/password hash from the database and then build a cookie value by passing it to a hash function. This would allow an attacker to login without the need to cracking a password. Effectively you are completely removing the protection provided by hashing passwords.

A cookie value must always be a cryptographic nonce, this value must expire (less than a day is good.). For added security enable http-only cookies which helps thwart xss. Also set the sts-header to enforce https and in turn take care of OWASP A9. Also,don't forget about session riding. Also there is absolutely no point in checking the user-agent because this is an attacker controlled variable.