NOTE: this is not really an issue, SSL solves it completely, still it came to my mind and I would like to share it with you.
Currently, the signed cookie contains the username. This is sound against cookie forging, because the signature is verified by the server, but it is vulnerable to cookie stealing: anyone owning the cookie can impersonate the logged user for a day at most (cookies are timestamped).
SSL solves this issue, but in the meantime we could consider inserting some additional data in the signed cookie and verifying it upon each request. Here are pros and cons of storing various user data:
user agent: can be spoofed even more easily than the cookie, not sound.
user IP address: cannot be spoofed easily, but there are situations where a user's IP address change legitimately: when accessing from a mobile phone, when moving from one campus building to another...
NOTE: this is not really an issue, SSL solves it completely, still it came to my mind and I would like to share it with you.
Currently, the signed cookie contains the username. This is sound against cookie forging, because the signature is verified by the server, but it is vulnerable to cookie stealing: anyone owning the cookie can impersonate the logged user for a day at most (cookies are timestamped).
SSL solves this issue, but in the meantime we could consider inserting some additional data in the signed cookie and verifying it upon each request. Here are pros and cons of storing various user data:
user agent
: can be spoofed even more easily than the cookie, not sound.user IP address
: cannot be spoofed easily, but there are situations where a user's IP address change legitimately: when accessing from a mobile phone, when moving from one campus building to another...