2

I've launched my site few days ago on Pyramid framework and I've choosed session.type = cookie with pyramid_beaker in perfomance reasons. So in cookie I have encrypted user_id, it's look like this:

usr: "d79c098d69c26a4a85459acf03104ad74f3a22de1!userid_type:int" 
# for example here is encrypted id 1

And than I've tried to substitute cookie. I've logged in under id 2, changed it's cookie on previous one and now I'm automatically logged in under id 1!!!

Is it normal? Is it safe??? What for than encryption with it's super algorithms? So, some virus can steal some user's cookie and log in under his id? And where is the Security???

Could anyone explain me? Thanks!

Vitalii Ponomar
  • 10,686
  • 20
  • 60
  • 88

1 Answers1

5

Yes, session cookies are vulnerable to being stolen and being used to impersonate the logged-in user. You can minimize this risk to some extent by giving sessions a short lifespan, and/or by tying them to the client's IP address, but these are mere stumbling blocks to a dedicated hacker. The only real solution is to fully encrypt the session using SSL. This is why many popular sites (Gmail, Facebook, etc.) offer or require HTTPS sessions, and why the Firefox extension HTTPS Everywhere exists.

kindall
  • 178,883
  • 35
  • 278
  • 309
  • So, my solution is to change type from cookie to (for example) database? – Vitalii Ponomar Feb 14 '12 at 15:19
  • I've never used Pyramid, but generally even when a session is stored on the back end (i.e. a database on the server), some kind of session cookie is used to associate the user with their database record so that the framework doesn't need to authenticate the user on each request. This has the same vulnerability. – kindall Feb 14 '12 at 15:22
  • The only I can say is Great... But thanks for explaining, it helped a lot. – Vitalii Ponomar Feb 14 '12 at 15:28
  • Note that due to recent TLS/SSL attack, even HTTPS is not secure against session hijacking ;) Google for: CRIME TLS – iElectric Sep 15 '12 at 16:11