Query about cookie security and website hacking

General Web Dev
1

Hi,

I have a basic classic ASP website, and use this simple login process, secured by cookies:

down vote favorite

I have a simple login page on a classic asp page.

It takes the username field from a form (“un”) and the password (“pw”) and does the following with them:

<%
    un = newstr(request.form("un"))
    pw = newstr(request.form("pw"))

    SQL = "SELECT * from my_table WHERE un = '"&un&"' AND pw = '"&pw&"'"
    set cRS = oConn.Execute(SQL)

    if cRS.EOF then
    %>

        <p>Unable to log you in. Please <a href="default.asp">try logging in again</a>.</p>

    <%
    elseif NOT cRS.EOF then

        Response.Cookies("test") = "jeQmV4'QG)Eu'N-XSTC;pZeuwqUsjBdVv>Sqr!]ZhzB{dJ'p-#cYSdwY"
        Response.Cookies("test").Expires = Date() + 365

        response.redirect "main.asp"

    end if

end if
%>

Then I have some simple validation at the top of each page whose contain I only want logged in users to be able to see, which does this:

<%
test = Request.Cookies("test")
if test = "" OR test <> "jeQmV4'QG)Eu'N-XSTC;pZeuwqUsjBdVv>Sqr!]ZhzB{dJ'p-#cYSdwY" then response.redirect("default.asp")
%>

I wanted to check - is that naively simple?

Could someone easily hack into my site, by e.g. setting a cookie on their computer, called “test” and whose value = “jeQmV4’QG)Eu’N-XSTC;pZeuwqUsjBdVv>Sqr!]ZhzB{dJ’p-#cYSdwY”?

Or wouldn’t it be pretty unlikely someone would guess that string value of “jeQmV4’QG)Eu’N-XSTC;pZeuwqUsjBdVv>Sqr!]ZhzB{dJ’p-#cYSdwY”?

According to this:
http://stackoverflow.com/questions/26430061/classic-asp-cookie-vulnerability?noredirect=1#comment41517000_26430061

It is totally rubbish.

However, how could a hacker hack into my site? Leaving aside the paramaterised input issue, which is a separate issue, why is the cookie method so risky? Because wouldn’t the hacker have to guess that the string value of “jeQmV4’QG)Eu’N-XSTC;pZeuwqUsjBdVv>Sqr!]ZhzB{dJ’p-#cYSdwY” to get in, or can they use snooping tools like wireshark to intercept a user logging into the site? Wouldn’t they still have to be in the right place at the right time to accidentally come across someone trying to log in in the first place in order to get this info? Otherwise, how would they know what to look for, if no activity was going on?

Any advice much appreciated.

Thanks