Would caching user roles in a cookie be a security problem? Could they decrypt the cookie and change their role to like Admin? Whats a good way around this?
Asked
Active
Viewed 3,990 times
4
Shawn Mclean
- 56,733
- 95
- 279
- 406
2 Answers
2
Here is one good read:
How serious is this new ASP.NET security vulnerability and how can I workaround it?
I would personally not store roles in cookies unless there was a really serious performance problem getting them from the database. It's all up to you, security vs. performance wise. If you have a banking or health site, don't cache. If you have an e-commerce store, caching shouldn't be as huge an issue.
Even if you don't cache, the web server should call the database only once per request for automatic role checking. It may call again if you invoke a GetRoles method from any of the System.Web classes.
-
2If it is really expensive to call to the database, cache the roles in the web server. This data is not likely to change very frequently so the risk of it being stale is very low. If you need it distributed across multiple web servers it may still be accepted to allow each web server to use it's own local cache, or you can simply look at using a distributed cache such as memcache or app fabric. – Aaron Weiker Jan 19 '11 at 15:26
0
Generally you should not send more information to the client than is aboslutly necessary.
There is a weakness in asp.net cookies, as olivehour pointed out. But even if there were not a known weakness, you do not know when someone is going to find one.
Here is another type of attack: If you put the role in the cookie and I can monitor the network. Then just by looking at the size of the packets I may be able to figure out who has which role, or who has many roles. Then do a sosial engineering attack based on that information.
Shiraz Bhaiji
- 64,065
- 34
- 143
- 252