Checking if user has changed cookie value, manually

Question

I am busy with a login system for my project.

Just for an extra step to the security.. How can I check/detect if a user has manually changed a cookie value?

Is there some easy way of doing this? Or do I have to set an extra Session variable and match it up with that? With this being said, is a normal ASP.Net Session traceable by the browser? And viewable to the user?

Thanks.

score 11 · Accepted Answer · edited May 23 '17 at 10:29

11

You could append a digital signature to the cookie value and check the signature when you read it back. That way, if the cookie value is tampered with it will be very apparent.

private string sign(string hashStr, byte[] secret) 
{
    // Compute the signature hash
    HMACSHA1 mac = new HMACSHA1(secret);
    byte[] hashBytes = Encoding.UTF8.GetBytes(hashStr);
    mac.TransformFinalBlock(hashBytes, 0, hashBytes.Length);
    byte[] hashData = mac.Hash;

    // Encode the hash in Base64.
    string hashOut = Convert.ToBase64String(hashData);

    return hashOut;
}

Edit: Fixed the encoder so it's explicitly UTF-8.

As usual, you should also be sure to add some salt to your string before calling this, see: Secure hash and salt for PHP passwords

edited May 23 '17 at 10:29

Community

1
1

answered Jul 27 '11 at 13:45

Bill Brasky

2,614
2
19
20

Thanks Bill, I will definitely use this. – Marc Uberstein Jul 27 '11 at 14:00
What happens if someone copied the cookie from your PC and use it later ? how to prevent this – anna poorani Aug 09 '17 at 12:46
this code is for signing, where is the other part where we check for tampering? – Nitin Sawant Jun 02 '18 at 08:07

score 2 · Answer 2 · edited Feb 09 '16 at 19:46

2

If you have to handle such sensitive information, I would suggest you not store it in user cookies. Instead use sessions to store such values as the user will not be able to tamper with such values.

edited Feb 09 '16 at 19:46

Cindy Meister

25,071
21
34
43

answered Jul 27 '11 at 13:43

Muhammad Akhtar

51,913
37
138
191

score 1 · Answer 3 · answered Jul 27 '11 at 13:44

1

Why don't you encrypt the cookie value. That way it is tough for the user to actually change it correctly. Like the previous answer mentions, if it is really sensitive, cookie is not the place to store it but encryption gives you a little bit more protection.

answered Jul 27 '11 at 13:44

coder net

3,447
5
31
40

Encrypting isn't enough - you can change the values and it won't be detected (although decryption may fail, and of course the user is making blind changes) - you must also sign the cookie, as Bill Brasky suggests. – blowdart Jul 27 '11 at 13:48
really brother, i don't think this answer deserves a downvote. check this answer out, it is an option. it depends on what your intentions are. May be encryption will work for his purpose. http://stackoverflow.com/questions/523629/tips-on-signed-cookies-instead-of-sessions – coder net Jul 27 '11 at 13:52

score 1 · Answer 4 · answered Jul 27 '11 at 13:47

1

Add a second variable to your cookie, which is unique to the first value.

On Page_Load compare the two values to the database.

If they do not match a record, then delete the cookie.

answered Jul 27 '11 at 13:47

Curtis

101,612
66
270
352

Checking if user has changed cookie value, manually

4 Answers4

Linked