开发者

Is caching roles in cookies secure?

Would caching user roles in a cookie be a security problem? Could they decrypt 开发者_StackOverflow中文版the cookie and change their role to like Admin? Whats a good way around this?


Here is one good read:

How serious is this new ASP.NET security vulnerability and how can I workaround it?

I would personally not store roles in cookies unless there was a really serious performance problem getting them from the database. It's all up to you, security vs. performance wise. If you have a banking or health site, don't cache. If you have an e-commerce store, caching shouldn't be as huge an issue.

Even if you don't cache, the web server should call the database only once per request for automatic role checking. It may call again if you invoke a GetRoles method from any of the System.Web classes.


Generally you should not send more information to the client than is aboslutly necessary.

There is a weakness in asp.net cookies, as olivehour pointed out. But even if there were not a known weakness, you do not know when someone is going to find one.

Here is another type of attack: If you put the role in the cookie and I can monitor the network. Then just by looking at the size of the packets I may be able to figure out who has which role, or who has many roles. Then do a sosial engineering attack based on that information.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜