I am using session cookies for my flask application. They allow me to access data quickly when accessing a database is slow and may cause problems. Is it safe to store information such as a phone number in a session cookie? If not, would there be any way to encrypt the cookies? I am concerned an attacker can steal the data in the cookie even though I am using HTTPS redirects. Currently I am using session['variable'] to store my data and lookup = "select * from table where variable= "" for receiving information from the database. I am wondering if there is a more efficient/more secure way to store information so it cannot be tampered or viewed by the end user. Thanks for any responses in advance!
Related
I originally used static variables to store some user information when a user is browsing my site. I had issues where occasionally a user would navigate somewhere and see a different users name on the page. I switched to using session variables to solve this, but the same problem occurred. I then thought making the session variable names unique in some way would solve the problem, e.g. instead of
Session["userId"]
I changed all session variables to append the unique username of the user when they are created and referenced, so they are:
Session["userId" + Context.Identity.User.Name.ToString()]
So far I've had no reports of the issue, but is this actually going to work? Is there a simple way to protect sessions so the variables don't leak between users? I'm confident with ASP.NET code (webforms specifically) but have only encountered the session issue as more users use the site. I don't have much control over IIS settings as the site is built via AWS Elastic Beanstalk, so it's mostly default IIS settings.
This should work fine, but I suggest storing username or user profile information in cookies or local storage since as you mentioned when lot of users logged in it maintains session for them on server memory(I believe session is in-memory by default not in-proc or redis). This is not scalable as if millions of user logged in or you create load test server considerable memory will be taken by session management. Few hundred users however is not much overhead.
You can store information at user browser using sessionStorage like:
Setting value
sessionStorage.setItem("user_name", "test");
Getting Value
var userName = sessionStorage.getItem("user_name");
It can store javascript object or json too.
Cookies are old way to store info at user end :
Creating cookie
document.userCookie = "username=John Doe";
reading cookie
document.userCookie //"username=John Doe"
Forms authentication also provide encrypted & secured cookies which is maintained with session which is also good if user profile information is sensitive data.
Sorry, I can't write comments for your question, but:
Same issue happed to Java developer with AWS Elastic Beanstalk:
https://forums.aws.amazon.com/thread.jspa?threadID=84027
First, I suggest you try to set no-cache for your HttpResponse (temporary solution), than
I suggest you try to play with your IIS proxy settings.
If it didn't help (and you're using load balancer) - refuse from using inproc settings like in this topic:
User on wrong session
PS. You really don't have to make session variable names different - Session uniqueness is guaranteed by ASP.NET setting different Session_ID for each session.
Why do people recommend to do server side storing of session data if we can sign and encrypt them?
I mean isn't it almost impossible for there to be any security problem if we sign and encrypt them (therefore can just store all data in the session cookie)? Am I missing any security problem here? What else should I consider?
In short, I am asking about the pros and cons of session data storage at server side vs encrypting session cookie.
This has one problem. Session data is sometimes large, in some cases few hundreds kb. If this would have to be sent with every request it would consume a lot of bandwidth.
However if the session data is small and there are millions of users, it can potentially lower the complexity by removing the database for handling session data.
Anyway, I haven't seen a single website doing this.
on the client side, you have to have the key in order to interact with the server (for example, update your shopping cart), then an attacker can obtain the key, decrypt it, alter it, and re-encrypt it with the key, then sent it to the server. that is the end user is the attacker.
the point of encryption is to avoid data being intercept while being transmitted, it cannot solve if the end user is hacking your site.
i read few article about Session Hijacking. hacker sniff cookie and get the session id from there. but i think session id is stored in cookie as encrypted value. is not it?
is it possible to decrypt easily?
what other sensitive data is stored in session cookie...please explain. whatever we stored in session variable from server side code that is stored in session cookie...is it right?
please guide me regarding session cookie and what would be best way to protect Session hijacking. thanks
The idea is that they get the session cookie and used it as it is, to send it to the server and server connects the cookie with the victim session. Actually there is no data on session cookie, just an encrypted number of the session id.
Now there is a case that sensitive data stored on cookie and that is the Roles of the currenct user. To avoid a possible decrypt and change on web.config on <roleManager cacheRolesInCookie="false"
Also on the authentication cookie and on role manager always use the requireSSL="true", so its impossible to steal the cookie of authentication, but you must use secure pages for this make work.
How some can stole a critical session. This can be done if the programmer depends the critical data that show to the user, on the session id. For example, if you store the phone number and the name on a session variable and show that to the user, then some one can stole the full web page and read it (if not ssl). If you have connect the backoffice and the access to hidden administrate page with the session id, then if some steal the session cookie and open the pages, then he can gets on that administrators back office pages.
So its up to you not to store critical information's on session data, and always use ssl pages to administrate and to get send cookie critical data.
Now if a hacker steal the session cookie and you there just store what users see in previous pages, a history of products like amazon, then is not big deal because still can not connect this history with the user, but also can anyone sniff the urls that a user see.
Of course its up to you also to not store critical data on any unencrypted cookie !
So you split your data to critical ones, and not critical ones, and always use SSL for page and cookie for the critical ones, and never trust the data that comes from unsecure pages.
You can also read :
Can some hacker steal the cookie from a user and login with that name on a web site?
Hope this helps you.
An ASP.NET cookie stores Session ID and an Authorization Ticket; however, the issue is not whether one can decrypt the cookie, but rather to be able to create one with identical values and trick the server into believing that your copy of the original cookie is the real one.
The HTTP protocol is stateless so client and server don't maintain information about each other. Session Cookies (using the Session ID and Authorization Ticket) is how they keep track of each other. The web server knows which Session ID is attached to which authorization ticket and if you can provide a valid pair of these values, the web server will happily accept it. The Web server encrypts the cookie using a symmetric encryption algorithm and an autogenerated key (default setting). You can tweak these settings, if you want to, by modifying the appropriate sections in the machine.config file.
I am developing a web application where UserId and RoleId plays a vital role... Is it secure to store these values in session.Someother can be hiddenfield,cookie.. Which is more secured?
Any suggestion for this...
Sessions are more secure than cookies and hidden fields because they are kept on the server. Cookies usually shouldn't contain sensitive data, even encrypted, as users have direct access to them. Hidden fields are also sent to the client, but simply not displayed. Therefore, using tools such as FireBug, you can easily display this content.
There are various places you can store the session, such as in memory (if you're not using them much) or have a SQL server maintaining them. You can get more information on sessions here. Sessions are secure because of the fact that they are stored server side.
Session variables are more secure than cookies, because they're on your server, not the user's computer. Sessions aren't perfect though -- they can be hijacked by stealing the session key. Still, this is more difficult to do than just taking a cookie that's been saved on a computer.
When I need to store "vulnerable" data in session I encrypt the data before storing. The encryption options are created dynamically and are not stored anywhere so if the session ID is compromised, the hacker has no way of decrypting the data. There is a performance overhead so I only store values that need to be secure.
Session is definitely more secure than hidden fields or cookies.
The difference is the SESSION values are stored on the SERVER, and hidden fields and cookies are stored on the client.
Session would be more secure than a cookie (session is stored in memory on the server, where the cookie goes to the client).
What are the do's and don'ts about Cache VS Session VS Cookies?
For example:
I'm using Session variables a lot and sometimes have problems in a booking-application when users start to order products and then go to lunch and come back some hours later and continue the booking. I store the booking in the session until the user confirms or aborts the booking so I don't need to talk to the database and handle halfway bookings in the database when users just click the X in the browser and never comes back.
Should I instead use cache or cookies or some combination for this?
(Also when there is some error in the app, the session-object resets itself and I get more problems because of that)
I'm mostly doing desktop-programming and feel I lack lots of knowledge here so anyone who can expand on where to use Cache, Session, Cookies (or db) would be appreciated
Edit: From the answers it seems that a combination of DB and cookies is what I want.
I have to store the booking in the database connected to a session-id
Store the session-id in a cookie (encrypted).
Every page load checking the cookie and fetch the booking from the database
I have a clean-up procedure that runs once a week that clears unfinished bookings.
I can't store the booking as a cookie because then the user can change prices and other sensitive data and I had to validate everything (can't trust the data).
Have I got it right?
And thanks for great explanations to all of you!
State management is a critical thing to master when coming to Web world from a desktop application perspective.
Session is used to store per-user information for the current Web session on the server. It supports using a database server as the back-end store.
Cookie should be used to store per-user information for the current Web session or persistent information on the client, therefore client has control over the contents of a cookie.
Cache object is shared between users in a single application. Its primary purpose is to cache data from a data store and should not be used as a primary storage. It supports automatic invalidation features.
Application object is shared between users to store application-wide state and should be used accordingly.
If your application is used by a number of unauthenticated users, I suggest you store the data in a cookie. If it requires authentication, you can either store the data in the DB manually or use ASP.NET profile management features.
Web is by nature disconnected model and none of the options mentioned (Session, Application, Cache, ...) are reliable enough. Session will timeout, worker process recycles, etc.
If you really need to store the users progress, reliably and through extended periods, the database is your only solution. If you have users profile (if the user must log in), then it's straightforward. If not, generate a unique Id, store it in the cookie (or URL) and track the user based on that identification.
Just make sure the Id is encrypted and then base64 encoded string and not just a numeric value.
EDIT:
After your additional explanation in the original question and comment from Mehrdad Afshari, good solution for you would be to use Session but set the storage to Sql Server instead of InProc.
Here's more details and instructions how to set it up: http://msdn.microsoft.com/en-us/library/ms178586.aspx
Have in mind that you will STILL have the session timeouts, but they will survive application pool recycles, even server restarts.
If you truly need a permanent storage, custom solution with the database, as I originally outlined is the only solution.
Session is stored on the server will time out by default in 20 minutes (This is adjustable). I would store this in a cookie, or in viewstate(if available) to prevent the timeout.
If your state is stored InProc(the default setup), then having more than one server in a farm is going to cause you issues also unless you have implemented some sort of "sticky session" that will keep the user on the same server in the farm for subsequent calls.
I try to avoid session when possible(puts extra load and memory usage on the server), and keep viewstate turned off when possible to keep the page size low. Cookies are often the most lightweight option, but your users might have this turned off and you will need a fallback mode that still allows them to use the site.
Edit (adding clarification based on response from asker):
Viewstate is stored in a hidden field, and is a serialized representation of all objects in Viewstate storage. Viewstate is automatically used to store the page's state, but you can explicitly add and retrieve your own objects to and from Viewstate programatically if you choose to.
So yes, datasets can be stored in Viewstate.
First thing you must know! cookies are used by session! The server knows who is your user thanks to the cookie which is exchanged between the client and server every request (this works with HTTP headers set-cookie and cookie).
The real question is:
If you want to store user information during the navigation, then you should use session.
If your client doesn't support cookies, then you can decide to store a cookie inside each request, encoded in the URL (the server will use the URL instead of the cookie to find the right session for the request).
Then consider where you want to store your session:If your site must have high disponibility and high performance, then you must not store session inside the process but inside a database. This way you will be able to share the work among several web server.
But you will loose in simplicity (because objects you store in your session must be serializable), and you have one more round trip between your webserver and your database server.
I was always confused between LocalStorage, SessionStorage and Cookie, but not anymore.
Just link the words are self explainable what they suppose to do.
LocalStorage: Local Storage, what does that mean, just thing you don't know anything about technology, but by the itself you can guess.
It is some storage which stores data locally.
that what it is.
IT stores data in Browser without any expiration until user clear it through JavaScript code or Clear browser cache.
Session Storage: It seems like it also stores data but related to a session then how different it is from localStorage?
The main difference is your session storage data will be deleted once the session is finish or browser tab is closed or the browser is closed.
You can just try in browser console by setting
localStorage.setItem('name' , 'alex')
sessionStorage.setItem('session','seesion value')
and then close tab and open again, you can still find localStorage data but not sessionStorage data.
Cookie: So this is totally different from the above two.
A cookie generally used for the server-side purpose.
Stores data that has to be sent back to the server with subsequent
requests.
Its expiration varies based on the type and the expiration
duration can be set from either server-side or client-side (normally
from server-side).
Cookies are primarily for server-side reading (can
also be read on client-side), localStorage and sessionStorage can
only be read on client-side.
Size must be less than 4KB.
Cookies can
be made secure by setting the httpOnly flag as true for that cookie.
This prevents client-side access to that cookie
You should not use the Cache-object to cache session data, for the cache is shared between all users. Instead you could use Asp.Net Profile properties to store your data or you could add an event handler to the Session_End event and store the data if the user leaves the computer for too long.
Cookie is a piece of information shared between co-operating pieces of software, by storing client-specific information on the client's machine and later retrieved to obtain the state information.
chose the term "cookie" as "a cookie is a well-known computer science term that is used when describing an opaque piece of data held by an intermediary". The term opaque here implies that the content is of interest and relevance only to the server and not the client. The browser will automatically include the cookie in all its subsequent requests to the originating host of the cookie. A cookie has a name and a value, and other attribute such as domain and path, expiration date, version number, and comments. for more
Cookie Version:
Cookie: cookie-name=cookie-value; Comment=text; Domain=domain-name; Path=path-name; Max-Age=seconds; Version=1; Secure
Server-side session data can store large data and a client-side cookie data are limited in size sent from a website to server, cookies usually contains reference code by this saving data transfer size. Session closes as soon as browser closed, but cookies are exist longer. Browser sends a session ID to the server as a URL param, cookie, or even HTTP headers.
Cache is a hardware or software component that stores data so future requests for that data can be served faster; the data stored in a cache might be the result of an earlier computation, or the duplicate of data stored elsewhere.
Cookies are stored in browser as a text file format.It is stored limit amount of data.It is only allowing 4kb[4096bytes].It is not holding the multiple variable in cookies.
we can accessing the cookies values in easily.So it is less secure.The setcookie() function must appear BEFORE the tag.
Sessions are stored in server side.It is stored unlimit amount of data.It is holding the multiple variable in sessions. we cannot accessing the cookies values in easily.So it is more secure.