Results 1 to 4 of 4
  1. #1

    can cookie's be set manually to bypass security?

    I am pretty new to web hosting and Vbscript, and I have put an Access database inside an access_db folder on Godaddy and written some .asp pages that query it. I am trying to make sure that I take necessary precautions against hackers reading or even writing to the database. Maybe someone can give some remarks about whether any of these concerns are realistic, and if so, why and what I could do about it?

    1) Could someone somehow navigate directly to the database and read or write to it (the access_db folder seems to have no read/write permissions as set by default by Godaddy, but how secure is that?)

    2) I permit entry through use of a a userid and password that are looked up in an mdb in the same folder (not listed in the html itself). If there’s a match, I store the userid as a session cookie. Then, to visit any other pages, each page first checks to see if the cookie is empty before proceeding. Is it possible for someone to set the cookie themselves and thus break through (can a cookie be set manually?) If so, would it help if I mandated that the cookie be set to something specific (right now it just has to be non-blank) or can they find out what the cookie should be set to as well?

  2. #2
    Join Date
    Mar 2002
    Location
    Posts
    785
    Of course a cookie can be set or changed by the visitor.
    Check the data in the cookie on every pageview, do not trust the cookie, it can be changed as easy as changing the url in your browser.
    High Quality Web Hosting from Host Ultra
    Visit us online at www.hostultra.com

  3. #3

    check cookie?

    Ok, then if the cookie can be changed by the user, I don't understand what you mean by "check the cookie on every page-view." Currently, every page I have checks the cookie to see if it matches a certain string I have hard coded in my vbscript. Is that what you mean to do? But if the user can set the cookie himself, then what good does it do to check the cookie "on every page-view" or at all?

    I think I'm misunderstanding something in what you said.

    This is the code:

    if request.cookies("authenticated")<>"thesecretstring" then
    ' report that access is denied
    else
    'do what the page is supposed to do
    end if

    Of course, another question is whether it is easy or possible for a user to find out what they should set the cookie to in order to bypass security.

  4. #4
    Join Date
    Feb 2005
    Location
    Australia
    Posts
    5,849
    Don't use cookies directly unless you have to - php sessions handle this automatically, including storing a unique id in the cookie to identify a known user.

    But even then the session id can be "leaked" and anyone who gets it could pretend to be your authenticated user. Have a read through the manual page - as a minimum you probably want to restrict your sessions to cookies only so the id doesn't get passed in the url and stored in logs / browser history etc.
    Chris

    "Some problems are so complex that you have to be highly intelligent and well informed just to be undecided about them." - Laurence J. Peter

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •