If you managed to copy a cookie to your machine, then either 1 of 2 things happened.
1) I gave you permission to do so and therefore, I understand the concept that I'm giving you my ID on the site basically. 2) You took it without me knowing. This would involve you accessing my computer in some way and if I don't know you well enough to trust you, then you aren't going to access my machine. Anyway, you can just log into the site from my machine anyway. :) I should also point out that there is a "Logout" function that removes the cookie. So people who are security conscious can log out if needed. Either way, how do you suggest I "authenticate" a person with the cookie to make sure it's really the proper user without having the user re-login to the site? I suppose I can have them relog in if their IP changes, but IP's can be faked as well. Judah McAuley wrote: > What if I copied your cookie to my machine? I go to your site, it > checks to see if I have a cookie, I do, so it grabs the encrypted UUID > value in that cookie, checks it against your db, matches your record, > then logs me in as you. > > I don't have to know the value of the UUID. It doesn't matter that it > is encrypted. I only have to have the same value that you do. > > Judah > > On Tue, Oct 28, 2008 at 12:46 PM, Phillip M. Vector > <[EMAIL PROTECTED]> wrote: >> Perhaps you weren't reading it clearly. Allow me to explain. >> >> I give the UserID (in UUID form and encrypted) out when someone hits my >> site. >> >> When a user has it, I load up that profile and they "log in" to the site. >> >> If a user doesn't have it, they need to log in with a username and password. >> >> I fail to see why this is insecure. How do you suggest that I >> authenticate that it's the correct person without any user input and >> allowing them to log into the site from more then one computer/ip? >> >> and I'm not falimiar with a spin attack. What is that? >> >> Barney Boisvert wrote: >>> WHAT!!!! You store a userId in a cookie and trust it???? Are you >>> mad??? Numbers are as inherently secure as UUIDs - they're both >>> simply identifiers. Authentication and authorization are where >>> security happens. If an application is susceptible to spin attacks >>> like that, I suppose that a UUID might assist to some degree, but much >>> better to just prevent the spin attack. >>> >>> cheers, >>> barneyb >>> >>> On Tue, Oct 28, 2008 at 12:30 PM, Phillip M. Vector >>> <[EMAIL PROTECTED]> wrote: >>>> Oh.. I have that as well. But take for example the UserID that I store >>>> as a cookie to someone else based on the UserID field. >>>> >>>> It's easy to change a cookie to a 1 and hope to get admin access. >>>> >>>> It's harder to figure out someone elses ID. :) >>>> >>>> and yeah, I can set it to the IP and so on, but honestly, using a UUID >>>> is allot more secure then auto increase. >>>> >>>> Matt Quackenbush wrote: >>>>> On Tue, Oct 28, 2008 at 2:13 PM, Phillip M. Vector wrote: >>>>> >>>>>> The only thing I've noticed in using that is that you can guess the next >>>>>> number. >>>>>> >>>>>> If you have a URL string of id set to 7, I've always tried manually >>>>>> typing in 6 and seeing what happens. Sometimes, 5. :) >>>>>> >>>>>> >>>>> That's what permission checking in your application is for. :-) >>>>> >>>>> >>>>> >>> >> > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:314476 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
