Page History

Storing sensitive information at client-When building an application that uses a client-server model, storing sensitive information, such as user credentials, on the client side may result in its unauthorized disclosure if an application the client is vulnerable to attacks that can compromise the information. For example, consider the use of a cookie for storing sensitive information such as user credentials. A cookie is set attack.

For web applications, the most common mitigation to this problem is to provide the client with a cookie and store the sensitive information on the server. Cookies are created by a web server and is are stored for a certain period of time on the client-side. All subsequent requests to the domain identified by the cookie are made to contain information that was saved in the cookie. If the web application is vulnerable to a . When the client reconnects to the server, it provides the cookie, which identifies the client to the server, and the server then provides the sensitive information.

Cookies do not protect sensitive information against cross-site scripting (XSS) vulnerability, an attacker may be able to read any unencrypted information contained in the cookie.attacks. An attacker who is able to obtain a cookie either through an XSS attack or directly by attacking the client can obtain the sensitive information from the server using the cookie. This risk is timeboxed if the server invalidates the session after a limited time has elapsed, such as 15 minutes.

A cookie is typically a short string. If it contains sensitive information, that information should be encrypted. Sensitive information includes passwordsA partial list of sensitive information includes user names, passwords, password hashes, credit card numbers, social security numbers, and any other personally identifiable information about the user. For more details about managing passwords, see MSC62-J. Store passwords using a hash function. For more information about securing the memory that holds sensitive information, see MSC59-J. Limit the lifetime of sensitive data.

Noncompliant Code Example

In this noncompliant code example, the login servlet stores the user name and password in the cookie to identify the user for subsequent requests.:

protected void doPost(HttpServletRequest request,
    HttpServletResponse response) {

  // Validate input (omitted)

  String String username = request.getParameter("username");
  char[] password = request.getParameter("password").toCharArray();
  boolean rememberMe = Boolean.valueOf(request.getParameter("rememberme"));
  
  LoginService loginService = new LoginServiceImpl();
        
  if (rememberMe) {
    if (request.getCookies()[0] != null && 
      request.getCookies()[0].getValue() != null) {
      String[] value = request.getCookies()[0].getValue().split(";");
      
      if (!loginService.isUserValid(value[0], value[1].toCharArray())) {
        // setSet error and return
      } else {
        // forwardForward to welcome page
      }
    } else {
        boolean validated = loginService.isUserValid(username, password);
      
        if (validated) {
          Cookie loginCookie = new Cookie("rememberme", username
                             + ";" + password.toString(new String(password));
          response.addCookie(loginCookie);
          // ... forwardForward to welcome page
        } else {
          // setSet error and return
        }
     }
   } else {
     // noNo remember -me functionality selected
      // proceedProceed with regular authentication,;
     // if it fails set error and return
   }
    
  Arrays.fill(password, ' ');
}

However, the attempt to implement the " remember-me " functionality is insecure because sensitive information should not be stored at client-side without strong encryption. an attacker with access to the client machine can obtain this information directly on the client. This code also violates MSC62-J. Store passwords using a hash function. The client may also have transmitted the password in clear unless it encrypted the password or uses HTTPS.

Compliant Solution (Session)

•  TODO -need to test the CS Dhruv Mohindra

...

This compliant solution implements the remember-me functionality by storing the username user name and a secure random string in the cookie. It also maintains state in the session using HttpSession.

protected void doPost(HttpServletRequest request,
    HttpServletResponse response) {
  
  // validateValidate input (omitted)

  String String username = request.getParameter("username");
  char[] password = request.getParameter("password").toCharArray();
  boolean rememberMe = Boolean.valueOf(request.getParameter("rememberme"));
  LoginService loginService = new LoginServiceImpl();
    boolean validated = false;
    if (rememberMe) {
      if (request.getCookies()[0] != null &&
          && request.getCookies()[0].getValue() != null) {
                
             
      String[] value = request.getCookies()[0].getValue().split(";");

		if             
      if (value.length != 2) {
          // setSet error and return
      }
          }

	   
       ifif (!loginService.mappingExists(value[0], value[1])) { 
        // (username, random) pair is checked
        // Set error and validatedreturn
    = loginService.isUserValid(username, password); }
    } else {
    
  validated = loginService.isUserValid(username, password);

     if if (!validated) {
             // setSet error and return
          }
        }
        
     String newRandom = loginService.getRandomString();
     // resetReset the random every time
     loginService.mapUserForRememberMe(username, newRandom);
     HttpSession session = request.getSession();
     session.invalidate();
     session = request.getSession(true);
     // Set session timeout to one15 hourminutes
     session.setMaxInactiveInterval(60 * 6015);
     // Store user attribute and a random attribute in session scope
     session.setAttribute("user", loginService.getUsername());
     Cookie loginCookie = 
      new Cookie("rememberme", username + ";"
 + newRandom);
    loginCookie.setHttpOnly(true);
                                + newRandomloginCookie.setSecure(true);
     response.addCookie(loginCookie);
     // ... forwardForward to welcome page
   } else {
    // No remember-me functionality selected
    // ...authenticate Authenticate using isUserValid() and if failed, set error
   }
    Arrays.fill(password, ' ');
}

A mapping table is maintained at server side. The table contains username The server maintains a mapping between user names and secure random string pairsstrings. When a user selects "remember “Remember me", the ” the doPost() method checks whether the supplied cookie contains a valid username user name and random string pair. If the mapping contains a matching pair, the server authenticates the user is authenticated and forwarded and forwards him or her to the welcome page. If not, then the server returns an error is returned to the client. If the user selects "remember me" “Remember me” but the client does not fails to supply a valid cookie, the server requires the user is made to authenticate using his or her credentials. If the authentication is successful, the server issues a new cookie is issued with " remember-me " characteristics.

This solution also avoids session-fixation attacks by invalidating the current session and creating a new session. It also reduces the window in during which an attacker could perform a session-hijacking attack by setting the session timeout to one15 minutes between client accesses.

Applicability

Violation of this rule places Storing unencrypted sensitive information within cookies, making the information vulnerable to packet sniffing or XSS attacks.

Related Guidelines

...

on the client makes this information available to anyone who can attack the client.

Bibliography

...

Image Modified Image Modified Image Modified