1

I am working with a cross script vulnerability issue which will expose an id and email via cookie (since I am storing using a cookie ), with that any hacker can use the email and id to send a request to server using malicious java script I wanted to know whether I can encrypt a cookie , if so how to implement it and store in a remote database using web service SOAP/REST . I also wanted to decrypt the cookie from the database stored (MS SQL 2011) using bmc remedy . Please do help me how to do that .

I need help on two things

1) which is the best and safest algorithm to encrypt a cookie

2) How to decrypt the encrypted cookie in bmc remedy

Passionate Life
  • 7
  • 2
  • Storing a user's id and email in a cookie is probably not a good idea in the first place, and using that cookie to authenticate users is a bad idea. I'd recommend creating some unique hash on your your server, and sending that to the client and verifying it. But why do you allow malicious JavaScript in the first place ?? I'd recommend fixing that first. – Jonas Czech Apr 11 '16 at 10:19
  • the issue is related to security vulnerability so we are trying to mitigate the issue , so the point is an attacker can use the user id or email from the url itself something like www.example.com/login.do?userid=AFD33232 .We are using a struts framework for our java framework . we are generating the cookies in our java program for the userid , the same user id we are using in remedy . so when remedy communicates with java it does by using the user id only – Passionate Life Apr 11 '16 at 12:36

0 Answers0