Hashing cookie-values & preventing cookie-stealing

Question

I have a problem with understanding how one would securely store a hashed cookie. And how to actually hash a cookie.

This is the situation: Every visitor (not user, but also unregistered visitor) of the website gets his own 'secret page', there he can enter 'secret' information. The problem is, that the visitor gets this without the need of selecting a password or something related. The secret key is automatically generated and stored as a cookie. The problem: if the cookie gets compromised the attacker can 'spoof' his own secret key by changing his own key, into that one of the user.

I thought I could fix this problem by:

Generating an unique key for each user
Save the hashed version into database
Save hashed version into cookie
When visitor visits, check if hashed cookie matches database-value

Problem: Attacker could still copy just the hash of the cookie. Because it's just plain-text after all and would still match the database-value.

Or by using this method:

Generated key (A) gets encrypted using e.g AES with key B. The generated string gets stored in a database.
Key B gets stored in cookie; with visitor-ID
When visitor visits, I take his visitor-ID to know in which row in my database I have to look, and if key B successfully decrypts the "string", the user has access to key A to access secret key.

But this is the exact same problem as above...

I'm struggling with the fact, that besides length a password stays secure as long as the user keeps his mound shut or his PC free from malware. But because cookie-stealing is so easy, I need another mechanism for cookies.

So, how do I protect visitors from cookie-stealing in this situation? I'm not asking for flags like HttpOnly or something related, but really for an algorithm/mechanism/... I only need to make sure, that the user is the same user as in the previous sessions. And someone else didn't changed his cookie in that of the other user. This all without any interaction (mail, username, password) of the visitor.

Why do you feel that cookie theft is so easy? Basing website security on cookie security is common practice — Neil Smithline, Jul 09 '16 at 02:41

score 5 · Accepted Answer · answered Jul 09 '16 at 08:43

5

To simplify your question:

You want to share some secret (i.e. hashed cookie or whatever) with the user.
You don't what to have any user involvement in protecting the secret, i.e. no login or whatever.
You want this to be save even if the computer was hacked.

This is impossible. If the computer is hacked the attacker can do everything which does not require any specific user interaction (like entering password only known to the user). This means that the attacker is able to access this secret and can use it. You might add some information about the computer into the secret (i.e. source IP, browser fingerprint...) so that it is hard to use the secret from another computer, but the attacker can still use the secret directly on the victims system.

answered Jul 09 '16 at 08:43

Steffen Ullrich

201,479
30
402
465

And what if we leave out "If the computer was hacked", but replace that with "in case of cookie-stealing". – O'Niel Jul 09 '16 at 09:32
@O'Niel: to cite myself: "You might add some information about the computer into the secret (i.e. source IP, browser fingerprint...) so that it is hard to use the secret from another computer,". Of course this only helps as long as these information are static (Source-IP often change for mobile users or with non-business internet access) and cannot be faked by the attacker (simple browser fingerprints can be faked). – Steffen Ullrich Jul 09 '16 at 09:38
Yeah, that's true. Maybe I'll go with that one than. Thanks! – O'Niel Jul 09 '16 at 09:42

Hashing cookie-values & preventing cookie-stealing

1 Answers1

Linked