Reason to use more cookies than just a session hash for authentication?

2018-05-30 09:12:49

I usually hang out in a community that uses a bulletin board software.

I was looking at what this software saves as cookie in my browser.

As you can see it saves 6 cookies. Amongst them, what I consider to be important for authentification are:

ngisessionhash: hash of the current session

ngipassword: hash (not the plain password probably) of the password

ngiuserid: user's id

Those are my assumptions of course. I don't know for sure if ngilastactivity and ngilastvisit are used for the same reason.

My question is: why use all these cookie for authentication? My guess would be that maybe generating a session hash would be to easy so using the hashedpassword and userid adds security but what about cookie spoofing? I'm basically leaving on the client all fundamental informations.

What do you think?

UPDATE #1

My main concern is about these solution giving to much information when under a cookie spoofing attack.

UPDATE #2 This question doesn't want to criticize the way these specific software works but, thorugh these answers I want just to learn more about securing software in a web environment.

This happens because session and login cookies may have different lifecycles.

Imagine website with millions of users every day. The website won't store your session for a year just to log you back the next time you get back. They use login cookies for that.

These cookies are also called Remember-Me cookies.

Sessions are not persistent. Cookies are.

Update #1: I haven't worked with vBullettin but it looks like the classical "Remember me" feature.

Update #2:

Yeah, it's a remember me feature, I'm asking why they're doing it in that way

Alright... How do you implement a "Remember me" feature? You obviously need to use cookies, I assume that's clear. Now, what do you store?

The naivest way is to store user and password in clear text and perform regular authentication. It's among the most insecure mechanisms you can use yet some sites actually do it that way.

Second slightly less naive way is to store a hash of the user and password and perform a modified version of the regular authentication. Is not as bad as the previous method but it still suffers from some issues; for instance, there's no effective way to disable or expire a saved cookie from the server.

Third way is to keep a database table with "remembered" sessions, identify each one with a long unique string and store such string in the cookie. The string can be random or calculated but, of course, randomness has the advantage that the string cannot be guessed even if you know the algorithm.

Further security can be accomplishes by storing dates, IP addresses and other piece of data in the server.

As I said, I know nothing about vBulleting but it seems they're using method 2 or method 3.

Update #3:

The contents of these cookies are what I think they contains. I'm not sure about it. Of course if call a cookie ngivbpassword and contains an hash, my guess is hashedpassword. Probably it could be password+salt.[...] My main concern is about these solution giving to much information when under a cookie spoofing attack.

A successfully cookie spoofing allows you to fully impersonate the user so you can just enter the control panel and enjoy the free buffet, thus making the cookie content irrelevant.

Whether they store a salted password or it's just a name it's something I don't know.

Here is a question, what are your concerns? Are you building some kind of authentication system? I also think that having the user id and password in cookies can be a security issue. is user id encoded or an integer?

链接地址: http://www.djcxy.com/p/4048.html

上一篇: 避免内部吸收者/安装者

下一篇: 使用更多Cookie而不仅仅是会话哈希进行身份验证的原因？