How secure are Cookies when set by an ASP.NET web application?

Question

I want to know how secure a cookie is and if it can be read by other applications other than the one that set it.

I want to set a cookie that will store some sensitive data for my site to read at any time.

Can other applications read cookies that my application sets? If so, do I need to encrypt the data stored in the cookie?

NOTE: I do not have access to SSL.

EDIT: The info I want to store is user details. I am creating a white label website. On the request of a specific url (e.g www.mysite.com/joebloggs) I want user data about Joe Bloggs to be stored on the client machine. When the client returns to www.mysite.com I want the data on Joe Bloggs to be read from the cookie so I can track it.

Answer 1

If you're not concerned enough about security to use SSL, then an easy and relatively straightforward option is to generate a new Guid for the user, store that Guid in your database, and write the Guid to a cookie.

I definitely wouldn't use this to protect credit card or banking or anything highly sensitive, but if you need to protect such data then SSL is a minimum requirement.

At the end of the day, it's possible to sniff traffic without SSL so any cookie that gets sent across the network could be sniffed by someone with malicious intent, and if that cookie is used to identify a user on your system, then they could very easily impersonate that user. The benefit of using a Guid is that if someone does manage to find 1 person's cookie, they will not be able to guess a pattern to figure out someone else's, so while 1 person might be compromised at least your entire user base won't be!

Probably a reasonable approach would be to generate a guid, and an expiry date, encrypt them both and set that as the cookie - then check the expiry date when the user comes back with the cookie, and periodically change the guid. Again, this is by no means secure against network sniffing, but it does give some measure of security as well as the convenience of remembering users across sessions.

Answer 2

If you can avoid to include sensitive data in cookies, that would be best. Since as was said in another answer, anything on the user's computer can always be compromised.

However, if you DO need to, you should always encrypt the data. Default encryption on Forms Authentication cookies is through DPAPI which uses the user context running the web app and the machine key, so it would not be best suited for load balanced environments.

In that case, you should go for encryption through digital certificates (RSA, for example).

For cookies you manage yourself you'd have to use the Crypto API, or some wrapper or utility classes, such as this one. For Forms Authentication cookie, there is the protection settings which let you configure the encryption mechanism.

Answer 3

Any code running in the user's computer (including browser addons) can always read and write cookies, and there is nothing you can do about that. (other than encryption)

Anyone sniffing the network can read and write (if applicable) all cookies for non-HTTPS sites.

Web applications on other domains cannot read or write cookies, except in limited circumstances for sibling domains (eg, x.cloudapp.net and y.cloudapp.net) (see cookie tossing)