To crack a signed cookie you need the secret hmac key that is usually stored within the application. Brute forcing an hmac key will take more time than any hacker has, especially if you change it once a month or so.
-- Thadeus On Sat, Jul 31, 2010 at 1:00 PM, Armin Ronacher <[email protected]> wrote: > That is incorrect. That is indeed true for a regular cookie, bit that > has all kimds of problems. I was referring to actual signed cookies. > > On Jul 31, 9:56 am, mdipierro <[email protected]> wrote: >> There is a difference. >> >> If you have a uuid sessions cookie and a serverside session and an >> attacker hijacks the cookie, he can only get access to the account of >> the compromised user. >> >> If the session is stored client side and the attackers hijacks the >> cookie, he can tamper with the data in the session and, depending on >> what the session cookie stores, may get access to more than data of >> the compromised user. >> >> Massimo >> >> On Jul 31, 1:58 am, Armin Ronacher <[email protected]> >> wrote: >> >> >> >> > Hi, >> >> > On Jul 31, 2:38 am, Scott <[email protected]> wrote:> I do not agree >> > with item 1. Session data should never be stored >> > > client-side as it opens a rather large attack vector. >> >> > Which attack vector exists for signed cookies with a signed timeout >> > compared to just session IDs in cookies? Both can be hijacked by a man >> > in the middle. >> >> > Regards, >> > Armin >
