username stored in browser cookie?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
15 messages Options
Wai
Reply | Threaded
Open this post in threaded view
|

username stored in browser cookie?

Wai
Hello All,

I notice that ofbiz stores the username inside a browser cookie.  I would like to get some comments as to whether this is a potential security risk? eg...

JSESSIONID=E4CADD25A32162D92C31DC938C108DFE.jvm1; OFBiz.Visitor=10025; mystuff.autoUserLoginId=admin

Thanks
Reply | Threaded
Open this post in threaded view
|

Re: username stored in browser cookie?

BJ Freeman
since the browser is allowed to store both the log in and password, I
don't see the problem unless someone is using a public computer.


Wai sent the following on 7/31/2010 9:50 AM:

>
> Hello All,
>
> I notice that ofbiz stores the username inside a browser cookie.  I would
> like to get some comments as to whether this is a potential security risk?
> eg...
>
> JSESSIONID=E4CADD25A32162D92C31DC938C108DFE.jvm1; OFBiz.Visitor=10025;
> mystuff.autoUserLoginId=admin
>
> Thanks
Reply | Threaded
Open this post in threaded view
|

Re: username stored in browser cookie?

Adrian Crum-2
In reply to this post by Wai
Aren't all cookies a security risk?

-Adrian

--- On Sat, 7/31/10, Wai <[hidden email]> wrote:

> From: Wai <[hidden email]>
> Subject: username stored in browser cookie?
> To: [hidden email]
> Date: Saturday, July 31, 2010, 9:50 AM
>
> Hello All,
>
> I notice that ofbiz stores the username inside a browser
> cookie.  I would
> like to get some comments as to whether this is a potential
> security risk?
> eg...
>
> JSESSIONID=E4CADD25A32162D92C31DC938C108DFE.jvm1;
> OFBiz.Visitor=10025;
> mystuff.autoUserLoginId=admin
>
> Thanks
> --
> View this message in context: http://ofbiz.135035.n4.nabble.com/username-stored-in-browser-cookie-tp2308984p2308984.html
> Sent from the OFBiz - User mailing list archive at
> Nabble.com.
>



Wai
Reply | Threaded
Open this post in threaded view
|

Re: username stored in browser cookie?

Wai
Not necessarily. I depends on what kind of information is stored in the cookie.
I just think that storing a username in the cookie constitutes a security risk as that is 50% of the authentication process.
Wai
Reply | Threaded
Open this post in threaded view
|

Re: username stored in browser cookie?

Wai
In reply to this post by BJ Freeman
BJ,
does ofbiz actually store the password in the cookie?  Because a cookie is really a text file, anybody who has access to a browser cache would be able to see it.
A regular person can see the contents of a cookie just by typing in "javascript:document.cookie" in the address of the browser.

From your previous posting, I take it that ofbiz should be run in an intranet environment.  But that would not quite work for people using ofbiz ecommerce app.  Since the ecommerce app stores the username in the cookie as well.
Wai
Reply | Threaded
Open this post in threaded view
|

Re: username stored in browser cookie?

David E. Jones-2

I don't know what BJ meant, but the idea of storing a password in a cookie is ridiculous, and I'm absolutely sure that OFBiz does not do that. Some software may, but OFBiz couldn't even do that because the only password it has access to is a one-way encrypted (or hashed) version of the password.

Storing a username in a cookie is an unfortunate but common practice. If you use the web much, just take a look at your current cookies and you'll see. Here are some sites that I can see have my username stored in a cookie:

1. paypal.com
2. apple.com
3. skype.com

All of these sites keep financial information (credit card, etc), and do ecommerce in some form or other.

A couple of points about this though:

1. the cookie you referenced was the visitor ID, which is NOT the username, or a party ID or anything, just an ID that may be linked to multiple accounts and is used to track a visitor (really a specific browser on a specific client machine)

2. usernames names are not commonly considered secret, and I'm not sure where you got that idea; it is common for usernames to be shown on non-encrypted web pages, and to be sent in plain text in emails too; even in communication like encrypted emails the email address (often used as a username) is sent in plain text

-David


On Jul 31, 2010, at 12:35 PM, Wai wrote:

>
> BJ,
> does ofbiz actually store the password in the cookie?  Because a cookie is
> really a text file, anybody who has access to a browser cache would be able
> to see it.
> A regular person can see the contents of a cookie just by typing in
> "javascript:document.cookie" in the address of the browser.
>
> From your previous posting, I take it that ofbiz should be run in an
> intranet environment.  But that would not quite work for people using ofbiz
> ecommerce app.  Since the ecommerce app stores the username in the cookie as
> well.
> Wai
> --
> View this message in context: http://ofbiz.135035.n4.nabble.com/username-stored-in-browser-cookie-tp2308984p2309026.html
> Sent from the OFBiz - User mailing list archive at Nabble.com.

Wai
Reply | Threaded
Open this post in threaded view
|

Re: username stored in browser cookie?

Wai
David,
Thanks for the clarification.  I suspected that BJ was joking about the password.

I was running ecommerce app with the username 'ecomUser1'.  Looking at the browser cookie, the username is indeed stored in the cookie for ecommerice.autoUserLoginId

JSESSIONID=6CE1F96832E46AEECF2F537D8CA6419B.jvm1; OFBiz.Visitor=10041; ecommerce.autoUserLoginId=ecomUser1

Even after logout, the username still persists.  eg.

OFBiz.Visitor=10041; ecommerce.autoUserLoginId=ecomUser1

What this implies is that, on a public computer, the next person would be able to find out the username of the last person that used the ofbiz ecommerce app.

Just as an aside, my paypal account cookie does not contain the username.  Here is a sample.  As you can see, there is username/email address in the cookie.

s_sess=%20s_cc%3Dtrue%3B%20s_refresh%3DMy%2720Account%2570Overview%3B%20s_sq%3D%3B

Likewise with skype, there is no personally identifiable info:

__utma=184135460.640743321.1280604163.1280607163.1280704163.1; __utmb=184135760.1.10.1280704163; __utmc=184137460; __utmz=184175460.1280604163.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_cc=true; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|262A3C72051D3AF6-40000731C035DA5D[CE]; SC=CC=:CCY=CAD:LC=en-us:LIM=:TM=1280704288:TS=1280704264:TZ=-04%7C00:VAT=:VER=; mbox=check#true#1280607257|session#1280704173508-139822#1280706057|PC#1280607173508-137822.17#1283176197

Nevertheless, I was always under the impression that when an application authenticates a user, only a token is stored in the browser cookie to identify the user.  This token is usually the session id.

Thanks
Reply | Threaded
Open this post in threaded view
|

Re: username stored in browser cookie?

David E. Jones-2

On Jul 31, 2010, at 1:32 PM, Wai wrote:

>
> David,
> Thanks for the clarification.  I suspected that BJ was joking about the
> password.
>
> I was running ecommerce app with the username 'ecomUser1'.  Looking at the
> browser cookie, the username is indeed stored in the cookie for
> ecommerice.autoUserLoginId
>
> JSESSIONID=6CE1F96832E46AEECF2F537D8CA6419B.jvm1; OFBiz.Visitor=10041;
> ecommerce.autoUserLoginId=ecomUser1
>
> Even after logout, the username still persists.  eg.
>
> OFBiz.Visitor=10041; ecommerce.autoUserLoginId=ecomUser1
>
> What this implies is that, on a public computer, the next person would be
> able to find out the username of the last person that used the ofbiz
> ecommerce app.
>
> Just as an aside, my paypal account cookie does not contain the username.
> Here is a sample.  As you can see, there is username/email address in the
> cookie.
>
> s_sess=%20s_cc%3Dtrue%3B%20s_refresh%3DMy%2720Account%2570Overview%3B%20s_sq%3D%3B
>
> Likewise with skype, there is no personally identifiable info:
>
> __utma=184135460.640743321.1280604163.1280607163.1280704163.1;
> __utmb=184135760.1.10.1280704163; __utmc=184137460;
> __utmz=184175460.1280604163.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);
> s_cc=true; s_sq=%5B%5BB%5D%5D;
> s_vi=[CS]v1|262A3C72051D3AF6-40000731C035DA5D[CE];
> SC=CC=:CCY=CAD:LC=en-us:LIM=:TM=1280704288:TS=1280704264:TZ=-04%7C00:VAT=:VER=;
> mbox=check#true#1280607257|session#1280704173508-139822#1280706057|PC#1280607173508-137822.17#1283176197
>
> Nevertheless, I was always under the impression that when an application
> authenticates a user, only a token is stored in the browser cookie to
> identify the user.  This token is usually the session id.
>
> Thanks

Session cookies are totally different and separate from the very common username cookies. Keep studying.

-David


Reply | Threaded
Open this post in threaded view
|

Re: username stored in browser cookie?

Adrian Crum-2
--- On Sat, 7/31/10, David E Jones <[hidden email]> wrote:

> On Jul 31, 2010, at 1:32 PM, Wai wrote:
>
> >
> > David,
> > Thanks for the clarification.  I suspected that
> BJ was joking about the
> > password.
> >
> > I was running ecommerce app with the username
> 'ecomUser1'.  Looking at the
> > browser cookie, the username is indeed stored in the
> cookie for
> > ecommerice.autoUserLoginId
> >
> > JSESSIONID=6CE1F96832E46AEECF2F537D8CA6419B.jvm1;
> OFBiz.Visitor=10041;
> > ecommerce.autoUserLoginId=ecomUser1
> >
> > Even after logout, the username still persists. 
> eg.
> >
> > OFBiz.Visitor=10041;
> ecommerce.autoUserLoginId=ecomUser1
> >
> > What this implies is that, on a public computer, the
> next person would be
> > able to find out the username of the last person that
> used the ofbiz
> > ecommerce app.
> >
> > Just as an aside, my paypal account cookie does not
> contain the username.
> > Here is a sample.  As you can see, there is
> username/email address in the
> > cookie.
> >
> >
> s_sess=%20s_cc%3Dtrue%3B%20s_refresh%3DMy%2720Account%2570Overview%3B%20s_sq%3D%3B
> >
> > Likewise with skype, there is no personally
> identifiable info:
> >
> >
> __utma=184135460.640743321.1280604163.1280607163.1280704163.1;
> > __utmb=184135760.1.10.1280704163; __utmc=184137460;
> >
> __utmz=184175460.1280604163.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);
> > s_cc=true; s_sq=%5B%5BB%5D%5D;
> > s_vi=[CS]v1|262A3C72051D3AF6-40000731C035DA5D[CE];
> >
> SC=CC=:CCY=CAD:LC=en-us:LIM=:TM=1280704288:TS=1280704264:TZ=-04%7C00:VAT=:VER=;
> >
> mbox=check#true#1280607257|session#1280704173508-139822#1280706057|PC#1280607173508-137822.17#1283176197
> >
> > Nevertheless, I was always under the impression that
> when an application
> > authenticates a user, only a token is stored in the
> browser cookie to
> > identify the user.  This token is usually the
> session id.
> >
> > Thanks
>
> Session cookies are totally different and separate from the
> very common username cookies. Keep studying.

Also keep in mind that storing the session ID in a cookie is a security risk too - that session ID can be hijacked or reused by another user.

Hence my initial question. Cookies are a security threat. That's why modern browsers give you the options of disabling them or removing them when the browser closes.

-Adrian




Reply | Threaded
Open this post in threaded view
|

Re: username stored in browser cookie?

Michael Wechner
Adrian Crum wrote:
>>> Thanks
>>>      
>> Session cookies are totally different and separate from the
>> very common username cookies. Keep studying.
>>    
>
> Also keep in mind that storing the session ID in a cookie is a security risk too - that session ID can be hijacked or reused by another user.
>  

yes, but what is the alternative?

Cheers

Michael

> Hence my initial question. Cookies are a security threat. That's why modern browsers give you the options of disabling them or removing them when the browser closes.
>
> -Adrian
>
>
>
>      
>  

Reply | Threaded
Open this post in threaded view
|

Re: username stored in browser cookie?

David E. Jones-2
In reply to this post by Adrian Crum-2

On Jul 31, 2010, at 1:48 PM, Adrian Crum wrote:

> --- On Sat, 7/31/10, David E Jones <[hidden email]> wrote:
>> On Jul 31, 2010, at 1:32 PM, Wai wrote:
>>
>>>
>>> David,
>>> Thanks for the clarification.  I suspected that
>> BJ was joking about the
>>> password.
>>>
>>> I was running ecommerce app with the username
>> 'ecomUser1'.  Looking at the
>>> browser cookie, the username is indeed stored in the
>> cookie for
>>> ecommerice.autoUserLoginId
>>>
>>> JSESSIONID=6CE1F96832E46AEECF2F537D8CA6419B.jvm1;
>> OFBiz.Visitor=10041;
>>> ecommerce.autoUserLoginId=ecomUser1
>>>
>>> Even after logout, the username still persists.
>> eg.
>>>
>>> OFBiz.Visitor=10041;
>> ecommerce.autoUserLoginId=ecomUser1
>>>
>>> What this implies is that, on a public computer, the
>> next person would be
>>> able to find out the username of the last person that
>> used the ofbiz
>>> ecommerce app.
>>>
>>> Just as an aside, my paypal account cookie does not
>> contain the username.
>>> Here is a sample.  As you can see, there is
>> username/email address in the
>>> cookie.
>>>
>>>
>> s_sess=%20s_cc%3Dtrue%3B%20s_refresh%3DMy%2720Account%2570Overview%3B%20s_sq%3D%3B
>>>
>>> Likewise with skype, there is no personally
>> identifiable info:
>>>
>>>
>> __utma=184135460.640743321.1280604163.1280607163.1280704163.1;
>>> __utmb=184135760.1.10.1280704163; __utmc=184137460;
>>>
>> __utmz=184175460.1280604163.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);
>>> s_cc=true; s_sq=%5B%5BB%5D%5D;
>>> s_vi=[CS]v1|262A3C72051D3AF6-40000731C035DA5D[CE];
>>>
>> SC=CC=:CCY=CAD:LC=en-us:LIM=:TM=1280704288:TS=1280704264:TZ=-04%7C00:VAT=:VER=;
>>>
>> mbox=check#true#1280607257|session#1280704173508-139822#1280706057|PC#1280607173508-137822.17#1283176197
>>>
>>> Nevertheless, I was always under the impression that
>> when an application
>>> authenticates a user, only a token is stored in the
>> browser cookie to
>>> identify the user.  This token is usually the
>> session id.
>>>
>>> Thanks
>>
>> Session cookies are totally different and separate from the
>> very common username cookies. Keep studying.
>
> Also keep in mind that storing the session ID in a cookie is a security risk too - that session ID can be hijacked or reused by another user.
>
> Hence my initial question. Cookies are a security threat. That's why modern browsers give you the options of disabling them or removing them when the browser closes.

Actually, when you are using HTTPS cookies are not generally used for session ID since HTTPS has session tracking built in, so it's not needed. Generally an HTTPS session is fairly hard to hijack (or at least harder than sniffing a cookie in plain text over the wire).

In plain HTTP not much is secure, but in HTTPS it is pretty good, including the session tracking.

-David


Reply | Threaded
Open this post in threaded view
|

Re: username stored in browser cookie?

Adrian Crum-2
In reply to this post by Michael Wechner
As far as OFBiz is concerned, as long as you use it as intended there is little to worry about - cookie security issues have been addressed. If a user is still concerned about them, they can be directed here:

http://www.us-cert.gov/reading_room/securing_browser/browser_security.html

-Adrian

--- On Sat, 7/31/10, Michael Wechner <[hidden email]> wrote:

> From: Michael Wechner <[hidden email]>
> Subject: Re: username stored in browser cookie?
> To: [hidden email]
> Date: Saturday, July 31, 2010, 1:00 PM
> Adrian Crum wrote:
> >>> Thanks
> >>>       
> >> Session cookies are totally different and separate
> from the
> >> very common username cookies. Keep studying.
> >>     
> >
> > Also keep in mind that storing the session ID in a
> cookie is a security risk too - that session ID can be
> hijacked or reused by another user.
> >   
>
> yes, but what is the alternative?
>
> Cheers
>
> Michael
>
> > Hence my initial question. Cookies are a security
> threat. That's why modern browsers give you the options of
> disabling them or removing them when the browser closes.
> >
> > -Adrian
> >
> >
> >
> >       
> >   
>
>



Reply | Threaded
Open this post in threaded view
|

Re: username stored in browser cookie?

BJ Freeman
In reply to this post by Wai
clarification
I said the browser does
when you login to a site the browser ask if you want to store the login
(userid and password).
this has nothing to-do with ofbiz.

Wai sent the following on 7/31/2010 11:35 AM:

>
> BJ,
> does ofbiz actually store the password in the cookie?  Because a cookie is
> really a text file, anybody who has access to a browser cache would be able
> to see it.
> A regular person can see the contents of a cookie just by typing in
> "javascript:document.cookie" in the address of the browser.
>
>> From your previous posting, I take it that ofbiz should be run in an
> intranet environment.  But that would not quite work for people using ofbiz
> ecommerce app.  Since the ecommerce app stores the username in the cookie as
> well.
> Wai
Reply | Threaded
Open this post in threaded view
|

Re: username stored in browser cookie?

Jacques Le Roux
Administrator
In reply to this post by Adrian Crum-2
From: "Adrian Crum" <[hidden email]>

> --- On Sat, 7/31/10, David E Jones <[hidden email]> wrote:
>> On Jul 31, 2010, at 1:32 PM, Wai wrote:
>>
>> >
>> > David,
>> > Thanks for the clarification. I suspected that
>> BJ was joking about the
>> > password.
>> >
>> > I was running ecommerce app with the username
>> 'ecomUser1'. Looking at the
>> > browser cookie, the username is indeed stored in the
>> cookie for
>> > ecommerice.autoUserLoginId
>> >
>> > JSESSIONID=6CE1F96832E46AEECF2F537D8CA6419B.jvm1;
>> OFBiz.Visitor=10041;
>> > ecommerce.autoUserLoginId=ecomUser1
>> >
>> > Even after logout, the username still persists.
>> eg.
>> >
>> > OFBiz.Visitor=10041;
>> ecommerce.autoUserLoginId=ecomUser1
>> >
>> > What this implies is that, on a public computer, the
>> next person would be
>> > able to find out the username of the last person that
>> used the ofbiz
>> > ecommerce app.
>> >
>> > Just as an aside, my paypal account cookie does not
>> contain the username.
>> > Here is a sample. As you can see, there is
>> username/email address in the
>> > cookie.
>> >
>> >
>> s_sess=%20s_cc%3Dtrue%3B%20s_refresh%3DMy%2720Account%2570Overview%3B%20s_sq%3D%3B
>> >
>> > Likewise with skype, there is no personally
>> identifiable info:
>> >
>> >
>> __utma=184135460.640743321.1280604163.1280607163.1280704163.1;
>> > __utmb=184135760.1.10.1280704163; __utmc=184137460;
>> >
>> __utmz=184175460.1280604163.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);
>> > s_cc=true; s_sq=%5B%5BB%5D%5D;
>> > s_vi=[CS]v1|262A3C72051D3AF6-40000731C035DA5D[CE];
>> >
>> SC=CC=:CCY=CAD:LC=en-us:LIM=:TM=1280704288:TS=1280704264:TZ=-04%7C00:VAT=:VER=;
>> >
>> mbox=check#true#1280607257|session#1280704173508-139822#1280706057|PC#1280607173508-137822.17#1283176197
>> >
>> > Nevertheless, I was always under the impression that
>> when an application
>> > authenticates a user, only a token is stored in the
>> browser cookie to
>> > identify the user. This token is usually the
>> session id.
>> >
>> > Thanks
>>
>> Session cookies are totally different and separate from the
>> very common username cookies. Keep studying.
>
> Also keep in mind that storing the session ID in a cookie is a security risk too - that session ID can be hijacked or reused by
> another user.
>
> Hence my initial question. Cookies are a security threat. That's why modern browsers give you the options of disabling them or
> removing them when the browser closes.
>
> -Adrian

Also there is this type of cookies : http://en.wikipedia.org/wiki/Local_Shared_Object
I use BetterPrivacy on FF

Jacques


Reply | Threaded
Open this post in threaded view
|

Re: username stored in browser cookie?

David E. Jones-2
In reply to this post by BJ Freeman

Yes, that's clear BJ, and you're right. Many browsers have "password manager" sorts of things that allow the user to locally save passwords in a usually encrypted store of some sort, and that is very different from a cookie and not anything the server can control.

-David


On Jul 31, 2010, at 2:22 PM, BJ Freeman wrote:

> clarification
> I said the browser does
> when you login to a site the browser ask if you want to store the login (userid and password).
> this has nothing to-do with ofbiz.
>
> Wai sent the following on 7/31/2010 11:35 AM:
>>
>> BJ,
>> does ofbiz actually store the password in the cookie?  Because a cookie is
>> really a text file, anybody who has access to a browser cache would be able
>> to see it.
>> A regular person can see the contents of a cookie just by typing in
>> "javascript:document.cookie" in the address of the browser.
>>
>>> From your previous posting, I take it that ofbiz should be run in an
>> intranet environment.  But that would not quite work for people using ofbiz
>> ecommerce app.  Since the ecommerce app stores the username in the cookie as
>> well.
>> Wai