Pyramid_beaker: session.type = cookie is not secure?
https://stackoverflow.com/questions/9279274
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I've launched my site few days ago on Pyramid framework and I've choosed session.type = cookie with pyramid_beaker in perfomance reasons.
So in cookie I have encrypted user_id, it's look like this:
usr: "d79c098d69c26a4a85459acf03104ad74f3a22de1!userid_type:int"
# for example here is encrypted id 1
And than I've tried to substitute cookie. I've logged in under id 2, changed it's cookie on previous one and now I'm automatically logged in under id 1!!!
Is it normal? Is it safe??? What for than encryption with it's super algorithms? So, some virus can steal some user's cookie and log in under his id? And where is the Security???
Could anyone explain me? Thanks!
Solution
Yes, session cookies are vulnerable to being stolen and being used to impersonate the logged-in user. You can minimize this risk to some extent by giving sessions a short lifespan, and/or by tying them to the client's IP address, but these are mere stumbling blocks to a dedicated hacker. The only real solution is to fully encrypt the session using SSL. This is why many popular sites (Gmail, Facebook, etc.) offer or require HTTPS sessions, and why the Firefox extension HTTPS Everywhere exists.
