You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@ofbiz.apache.org by Wai <bz...@gmail.com> on 2010/07/31 18:50:54 UTC
username stored in browser cookie?
Hello All,
I notice that ofbiz stores the username inside a browser cookie. I would
like to get some comments as to whether this is a potential security risk?
eg...
JSESSIONID=E4CADD25A32162D92C31DC938C108DFE.jvm1; OFBiz.Visitor=10025;
mystuff.autoUserLoginId=admin
Thanks
--
View this message in context: http://ofbiz.135035.n4.nabble.com/username-stored-in-browser-cookie-tp2308984p2308984.html
Sent from the OFBiz - User mailing list archive at Nabble.com.
Re: username stored in browser cookie?
Posted by David E Jones <de...@me.com>.
Yes, that's clear BJ, and you're right. Many browsers have "password manager" sorts of things that allow the user to locally save passwords in a usually encrypted store of some sort, and that is very different from a cookie and not anything the server can control.
-David
On Jul 31, 2010, at 2:22 PM, BJ Freeman wrote:
> clarification
> I said the browser does
> when you login to a site the browser ask if you want to store the login (userid and password).
> this has nothing to-do with ofbiz.
>
> Wai sent the following on 7/31/2010 11:35 AM:
>>
>> BJ,
>> does ofbiz actually store the password in the cookie? Because a cookie is
>> really a text file, anybody who has access to a browser cache would be able
>> to see it.
>> A regular person can see the contents of a cookie just by typing in
>> "javascript:document.cookie" in the address of the browser.
>>
>>> From your previous posting, I take it that ofbiz should be run in an
>> intranet environment. But that would not quite work for people using ofbiz
>> ecommerce app. Since the ecommerce app stores the username in the cookie as
>> well.
>> Wai
Re: username stored in browser cookie?
Posted by BJ Freeman <bj...@free-man.net>.
clarification
I said the browser does
when you login to a site the browser ask if you want to store the login
(userid and password).
this has nothing to-do with ofbiz.
Wai sent the following on 7/31/2010 11:35 AM:
>
> BJ,
> does ofbiz actually store the password in the cookie? Because a cookie is
> really a text file, anybody who has access to a browser cache would be able
> to see it.
> A regular person can see the contents of a cookie just by typing in
> "javascript:document.cookie" in the address of the browser.
>
>> From your previous posting, I take it that ofbiz should be run in an
> intranet environment. But that would not quite work for people using ofbiz
> ecommerce app. Since the ecommerce app stores the username in the cookie as
> well.
> Wai
Re: username stored in browser cookie?
Posted by Jacques Le Roux <ja...@les7arts.com>.
From: "Adrian Crum" <ad...@yahoo.com>
> --- On Sat, 7/31/10, David E Jones <de...@me.com> wrote:
>> On Jul 31, 2010, at 1:32 PM, Wai wrote:
>>
>> >
>> > David,
>> > Thanks for the clarification. I suspected that
>> BJ was joking about the
>> > password.
>> >
>> > I was running ecommerce app with the username
>> 'ecomUser1'. Looking at the
>> > browser cookie, the username is indeed stored in the
>> cookie for
>> > ecommerice.autoUserLoginId
>> >
>> > JSESSIONID=6CE1F96832E46AEECF2F537D8CA6419B.jvm1;
>> OFBiz.Visitor=10041;
>> > ecommerce.autoUserLoginId=ecomUser1
>> >
>> > Even after logout, the username still persists.
>> eg.
>> >
>> > OFBiz.Visitor=10041;
>> ecommerce.autoUserLoginId=ecomUser1
>> >
>> > What this implies is that, on a public computer, the
>> next person would be
>> > able to find out the username of the last person that
>> used the ofbiz
>> > ecommerce app.
>> >
>> > Just as an aside, my paypal account cookie does not
>> contain the username.
>> > Here is a sample. As you can see, there is
>> username/email address in the
>> > cookie.
>> >
>> >
>> s_sess=%20s_cc%3Dtrue%3B%20s_refresh%3DMy%2720Account%2570Overview%3B%20s_sq%3D%3B
>> >
>> > Likewise with skype, there is no personally
>> identifiable info:
>> >
>> >
>> __utma=184135460.640743321.1280604163.1280607163.1280704163.1;
>> > __utmb=184135760.1.10.1280704163; __utmc=184137460;
>> >
>> __utmz=184175460.1280604163.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);
>> > s_cc=true; s_sq=%5B%5BB%5D%5D;
>> > s_vi=[CS]v1|262A3C72051D3AF6-40000731C035DA5D[CE];
>> >
>> SC=CC=:CCY=CAD:LC=en-us:LIM=:TM=1280704288:TS=1280704264:TZ=-04%7C00:VAT=:VER=;
>> >
>> mbox=check#true#1280607257|session#1280704173508-139822#1280706057|PC#1280607173508-137822.17#1283176197
>> >
>> > Nevertheless, I was always under the impression that
>> when an application
>> > authenticates a user, only a token is stored in the
>> browser cookie to
>> > identify the user. This token is usually the
>> session id.
>> >
>> > Thanks
>>
>> Session cookies are totally different and separate from the
>> very common username cookies. Keep studying.
>
> Also keep in mind that storing the session ID in a cookie is a security risk too - that session ID can be hijacked or reused by
> another user.
>
> Hence my initial question. Cookies are a security threat. That's why modern browsers give you the options of disabling them or
> removing them when the browser closes.
>
> -Adrian
Also there is this type of cookies : http://en.wikipedia.org/wiki/Local_Shared_Object
I use BetterPrivacy on FF
Jacques
Re: username stored in browser cookie?
Posted by Adrian Crum <ad...@yahoo.com>.
As far as OFBiz is concerned, as long as you use it as intended there is little to worry about - cookie security issues have been addressed. If a user is still concerned about them, they can be directed here:
http://www.us-cert.gov/reading_room/securing_browser/browser_security.html
-Adrian
--- On Sat, 7/31/10, Michael Wechner <mi...@wyona.com> wrote:
> From: Michael Wechner <mi...@wyona.com>
> Subject: Re: username stored in browser cookie?
> To: user@ofbiz.apache.org
> Date: Saturday, July 31, 2010, 1:00 PM
> Adrian Crum wrote:
> >>> Thanks
> >>>
> >> Session cookies are totally different and separate
> from the
> >> very common username cookies. Keep studying.
> >>
> >
> > Also keep in mind that storing the session ID in a
> cookie is a security risk too - that session ID can be
> hijacked or reused by another user.
> >
>
> yes, but what is the alternative?
>
> Cheers
>
> Michael
>
> > Hence my initial question. Cookies are a security
> threat. That's why modern browsers give you the options of
> disabling them or removing them when the browser closes.
> >
> > -Adrian
> >
> >
> >
> >
> >
>
>
Re: username stored in browser cookie?
Posted by Michael Wechner <mi...@wyona.com>.
Adrian Crum wrote:
>>> Thanks
>>>
>> Session cookies are totally different and separate from the
>> very common username cookies. Keep studying.
>>
>
> Also keep in mind that storing the session ID in a cookie is a security risk too - that session ID can be hijacked or reused by another user.
>
yes, but what is the alternative?
Cheers
Michael
> Hence my initial question. Cookies are a security threat. That's why modern browsers give you the options of disabling them or removing them when the browser closes.
>
> -Adrian
>
>
>
>
>
Re: username stored in browser cookie?
Posted by David E Jones <de...@me.com>.
On Jul 31, 2010, at 1:48 PM, Adrian Crum wrote:
> --- On Sat, 7/31/10, David E Jones <de...@me.com> wrote:
>> On Jul 31, 2010, at 1:32 PM, Wai wrote:
>>
>>>
>>> David,
>>> Thanks for the clarification. I suspected that
>> BJ was joking about the
>>> password.
>>>
>>> I was running ecommerce app with the username
>> 'ecomUser1'. Looking at the
>>> browser cookie, the username is indeed stored in the
>> cookie for
>>> ecommerice.autoUserLoginId
>>>
>>> JSESSIONID=6CE1F96832E46AEECF2F537D8CA6419B.jvm1;
>> OFBiz.Visitor=10041;
>>> ecommerce.autoUserLoginId=ecomUser1
>>>
>>> Even after logout, the username still persists.
>> eg.
>>>
>>> OFBiz.Visitor=10041;
>> ecommerce.autoUserLoginId=ecomUser1
>>>
>>> What this implies is that, on a public computer, the
>> next person would be
>>> able to find out the username of the last person that
>> used the ofbiz
>>> ecommerce app.
>>>
>>> Just as an aside, my paypal account cookie does not
>> contain the username.
>>> Here is a sample. As you can see, there is
>> username/email address in the
>>> cookie.
>>>
>>>
>> s_sess=%20s_cc%3Dtrue%3B%20s_refresh%3DMy%2720Account%2570Overview%3B%20s_sq%3D%3B
>>>
>>> Likewise with skype, there is no personally
>> identifiable info:
>>>
>>>
>> __utma=184135460.640743321.1280604163.1280607163.1280704163.1;
>>> __utmb=184135760.1.10.1280704163; __utmc=184137460;
>>>
>> __utmz=184175460.1280604163.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);
>>> s_cc=true; s_sq=%5B%5BB%5D%5D;
>>> s_vi=[CS]v1|262A3C72051D3AF6-40000731C035DA5D[CE];
>>>
>> SC=CC=:CCY=CAD:LC=en-us:LIM=:TM=1280704288:TS=1280704264:TZ=-04%7C00:VAT=:VER=;
>>>
>> mbox=check#true#1280607257|session#1280704173508-139822#1280706057|PC#1280607173508-137822.17#1283176197
>>>
>>> Nevertheless, I was always under the impression that
>> when an application
>>> authenticates a user, only a token is stored in the
>> browser cookie to
>>> identify the user. This token is usually the
>> session id.
>>>
>>> Thanks
>>
>> Session cookies are totally different and separate from the
>> very common username cookies. Keep studying.
>
> Also keep in mind that storing the session ID in a cookie is a security risk too - that session ID can be hijacked or reused by another user.
>
> Hence my initial question. Cookies are a security threat. That's why modern browsers give you the options of disabling them or removing them when the browser closes.
Actually, when you are using HTTPS cookies are not generally used for session ID since HTTPS has session tracking built in, so it's not needed. Generally an HTTPS session is fairly hard to hijack (or at least harder than sniffing a cookie in plain text over the wire).
In plain HTTP not much is secure, but in HTTPS it is pretty good, including the session tracking.
-David
Re: username stored in browser cookie?
Posted by Adrian Crum <ad...@yahoo.com>.
--- On Sat, 7/31/10, David E Jones <de...@me.com> wrote:
> On Jul 31, 2010, at 1:32 PM, Wai wrote:
>
> >
> > David,
> > Thanks for the clarification. I suspected that
> BJ was joking about the
> > password.
> >
> > I was running ecommerce app with the username
> 'ecomUser1'. Looking at the
> > browser cookie, the username is indeed stored in the
> cookie for
> > ecommerice.autoUserLoginId
> >
> > JSESSIONID=6CE1F96832E46AEECF2F537D8CA6419B.jvm1;
> OFBiz.Visitor=10041;
> > ecommerce.autoUserLoginId=ecomUser1
> >
> > Even after logout, the username still persists.
> eg.
> >
> > OFBiz.Visitor=10041;
> ecommerce.autoUserLoginId=ecomUser1
> >
> > What this implies is that, on a public computer, the
> next person would be
> > able to find out the username of the last person that
> used the ofbiz
> > ecommerce app.
> >
> > Just as an aside, my paypal account cookie does not
> contain the username.
> > Here is a sample. As you can see, there is
> username/email address in the
> > cookie.
> >
> >
> s_sess=%20s_cc%3Dtrue%3B%20s_refresh%3DMy%2720Account%2570Overview%3B%20s_sq%3D%3B
> >
> > Likewise with skype, there is no personally
> identifiable info:
> >
> >
> __utma=184135460.640743321.1280604163.1280607163.1280704163.1;
> > __utmb=184135760.1.10.1280704163; __utmc=184137460;
> >
> __utmz=184175460.1280604163.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);
> > s_cc=true; s_sq=%5B%5BB%5D%5D;
> > s_vi=[CS]v1|262A3C72051D3AF6-40000731C035DA5D[CE];
> >
> SC=CC=:CCY=CAD:LC=en-us:LIM=:TM=1280704288:TS=1280704264:TZ=-04%7C00:VAT=:VER=;
> >
> mbox=check#true#1280607257|session#1280704173508-139822#1280706057|PC#1280607173508-137822.17#1283176197
> >
> > Nevertheless, I was always under the impression that
> when an application
> > authenticates a user, only a token is stored in the
> browser cookie to
> > identify the user. This token is usually the
> session id.
> >
> > Thanks
>
> Session cookies are totally different and separate from the
> very common username cookies. Keep studying.
Also keep in mind that storing the session ID in a cookie is a security risk too - that session ID can be hijacked or reused by another user.
Hence my initial question. Cookies are a security threat. That's why modern browsers give you the options of disabling them or removing them when the browser closes.
-Adrian
Re: username stored in browser cookie?
Posted by David E Jones <de...@me.com>.
On Jul 31, 2010, at 1:32 PM, Wai wrote:
>
> David,
> Thanks for the clarification. I suspected that BJ was joking about the
> password.
>
> I was running ecommerce app with the username 'ecomUser1'. Looking at the
> browser cookie, the username is indeed stored in the cookie for
> ecommerice.autoUserLoginId
>
> JSESSIONID=6CE1F96832E46AEECF2F537D8CA6419B.jvm1; OFBiz.Visitor=10041;
> ecommerce.autoUserLoginId=ecomUser1
>
> Even after logout, the username still persists. eg.
>
> OFBiz.Visitor=10041; ecommerce.autoUserLoginId=ecomUser1
>
> What this implies is that, on a public computer, the next person would be
> able to find out the username of the last person that used the ofbiz
> ecommerce app.
>
> Just as an aside, my paypal account cookie does not contain the username.
> Here is a sample. As you can see, there is username/email address in the
> cookie.
>
> s_sess=%20s_cc%3Dtrue%3B%20s_refresh%3DMy%2720Account%2570Overview%3B%20s_sq%3D%3B
>
> Likewise with skype, there is no personally identifiable info:
>
> __utma=184135460.640743321.1280604163.1280607163.1280704163.1;
> __utmb=184135760.1.10.1280704163; __utmc=184137460;
> __utmz=184175460.1280604163.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);
> s_cc=true; s_sq=%5B%5BB%5D%5D;
> s_vi=[CS]v1|262A3C72051D3AF6-40000731C035DA5D[CE];
> SC=CC=:CCY=CAD:LC=en-us:LIM=:TM=1280704288:TS=1280704264:TZ=-04%7C00:VAT=:VER=;
> mbox=check#true#1280607257|session#1280704173508-139822#1280706057|PC#1280607173508-137822.17#1283176197
>
> Nevertheless, I was always under the impression that when an application
> authenticates a user, only a token is stored in the browser cookie to
> identify the user. This token is usually the session id.
>
> Thanks
Session cookies are totally different and separate from the very common username cookies. Keep studying.
-David
Re: username stored in browser cookie?
Posted by Wai <bz...@gmail.com>.
David,
Thanks for the clarification. I suspected that BJ was joking about the
password.
I was running ecommerce app with the username 'ecomUser1'. Looking at the
browser cookie, the username is indeed stored in the cookie for
ecommerice.autoUserLoginId
JSESSIONID=6CE1F96832E46AEECF2F537D8CA6419B.jvm1; OFBiz.Visitor=10041;
ecommerce.autoUserLoginId=ecomUser1
Even after logout, the username still persists. eg.
OFBiz.Visitor=10041; ecommerce.autoUserLoginId=ecomUser1
What this implies is that, on a public computer, the next person would be
able to find out the username of the last person that used the ofbiz
ecommerce app.
Just as an aside, my paypal account cookie does not contain the username.
Here is a sample. As you can see, there is username/email address in the
cookie.
s_sess=%20s_cc%3Dtrue%3B%20s_refresh%3DMy%2720Account%2570Overview%3B%20s_sq%3D%3B
Likewise with skype, there is no personally identifiable info:
__utma=184135460.640743321.1280604163.1280607163.1280704163.1;
__utmb=184135760.1.10.1280704163; __utmc=184137460;
__utmz=184175460.1280604163.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);
s_cc=true; s_sq=%5B%5BB%5D%5D;
s_vi=[CS]v1|262A3C72051D3AF6-40000731C035DA5D[CE];
SC=CC=:CCY=CAD:LC=en-us:LIM=:TM=1280704288:TS=1280704264:TZ=-04%7C00:VAT=:VER=;
mbox=check#true#1280607257|session#1280704173508-139822#1280706057|PC#1280607173508-137822.17#1283176197
Nevertheless, I was always under the impression that when an application
authenticates a user, only a token is stored in the browser cookie to
identify the user. This token is usually the session id.
Thanks
--
View this message in context: http://ofbiz.135035.n4.nabble.com/username-stored-in-browser-cookie-tp2308984p2309061.html
Sent from the OFBiz - User mailing list archive at Nabble.com.
Re: username stored in browser cookie?
Posted by David E Jones <de...@me.com>.
I don't know what BJ meant, but the idea of storing a password in a cookie is ridiculous, and I'm absolutely sure that OFBiz does not do that. Some software may, but OFBiz couldn't even do that because the only password it has access to is a one-way encrypted (or hashed) version of the password.
Storing a username in a cookie is an unfortunate but common practice. If you use the web much, just take a look at your current cookies and you'll see. Here are some sites that I can see have my username stored in a cookie:
1. paypal.com
2. apple.com
3. skype.com
All of these sites keep financial information (credit card, etc), and do ecommerce in some form or other.
A couple of points about this though:
1. the cookie you referenced was the visitor ID, which is NOT the username, or a party ID or anything, just an ID that may be linked to multiple accounts and is used to track a visitor (really a specific browser on a specific client machine)
2. usernames names are not commonly considered secret, and I'm not sure where you got that idea; it is common for usernames to be shown on non-encrypted web pages, and to be sent in plain text in emails too; even in communication like encrypted emails the email address (often used as a username) is sent in plain text
-David
On Jul 31, 2010, at 12:35 PM, Wai wrote:
>
> BJ,
> does ofbiz actually store the password in the cookie? Because a cookie is
> really a text file, anybody who has access to a browser cache would be able
> to see it.
> A regular person can see the contents of a cookie just by typing in
> "javascript:document.cookie" in the address of the browser.
>
> From your previous posting, I take it that ofbiz should be run in an
> intranet environment. But that would not quite work for people using ofbiz
> ecommerce app. Since the ecommerce app stores the username in the cookie as
> well.
> Wai
> --
> View this message in context: http://ofbiz.135035.n4.nabble.com/username-stored-in-browser-cookie-tp2308984p2309026.html
> Sent from the OFBiz - User mailing list archive at Nabble.com.
Re: username stored in browser cookie?
Posted by Wai <bz...@gmail.com>.
BJ,
does ofbiz actually store the password in the cookie? Because a cookie is
really a text file, anybody who has access to a browser cache would be able
to see it.
A regular person can see the contents of a cookie just by typing in
"javascript:document.cookie" in the address of the browser.
>From your previous posting, I take it that ofbiz should be run in an
intranet environment. But that would not quite work for people using ofbiz
ecommerce app. Since the ecommerce app stores the username in the cookie as
well.
Wai
--
View this message in context: http://ofbiz.135035.n4.nabble.com/username-stored-in-browser-cookie-tp2308984p2309026.html
Sent from the OFBiz - User mailing list archive at Nabble.com.
Re: username stored in browser cookie?
Posted by BJ Freeman <bj...@free-man.net>.
since the browser is allowed to store both the log in and password, I
don't see the problem unless someone is using a public computer.
Wai sent the following on 7/31/2010 9:50 AM:
>
> Hello All,
>
> I notice that ofbiz stores the username inside a browser cookie. I would
> like to get some comments as to whether this is a potential security risk?
> eg...
>
> JSESSIONID=E4CADD25A32162D92C31DC938C108DFE.jvm1; OFBiz.Visitor=10025;
> mystuff.autoUserLoginId=admin
>
> Thanks
Re: username stored in browser cookie?
Posted by Wai <bz...@gmail.com>.
Not necessarily. I depends on what kind of information is stored in the
cookie.
I just think that storing a username in the cookie constitutes a security
risk as that is 50% of the authentication process.
--
View this message in context: http://ofbiz.135035.n4.nabble.com/username-stored-in-browser-cookie-tp2308984p2309020.html
Sent from the OFBiz - User mailing list archive at Nabble.com.
Re: username stored in browser cookie?
Posted by Adrian Crum <ad...@yahoo.com>.
Aren't all cookies a security risk?
-Adrian
--- On Sat, 7/31/10, Wai <bz...@gmail.com> wrote:
> From: Wai <bz...@gmail.com>
> Subject: username stored in browser cookie?
> To: user@ofbiz.apache.org
> Date: Saturday, July 31, 2010, 9:50 AM
>
> Hello All,
>
> I notice that ofbiz stores the username inside a browser
> cookie. I would
> like to get some comments as to whether this is a potential
> security risk?
> eg...
>
> JSESSIONID=E4CADD25A32162D92C31DC938C108DFE.jvm1;
> OFBiz.Visitor=10025;
> mystuff.autoUserLoginId=admin
>
> Thanks
> --
> View this message in context: http://ofbiz.135035.n4.nabble.com/username-stored-in-browser-cookie-tp2308984p2308984.html
> Sent from the OFBiz - User mailing list archive at
> Nabble.com.
>