Security Basics mailing list archives
Cookie Security
From: ellukicq () icqmail com
Date: 28 Apr 2008 14:17:10 -0000
Hi Everyone,
I have recently analysed a web application and found what I imagine is a common flaw.
As a result, I'm after some advice around cookie security in web applications.
The web application server simply provides the client with a unique session ID cookie to associate authenticated
sessions...
The session ID is sufficiently random, however, there appears to be no methods employed to avoid the interception, and
reuse of this session ID. (i.e cookie/session stealing).
I simply have to sniff the session id cookie, and specify this from another client, and I am signed into the
application as the associated user.
I would like to propose some actions to improve this mechanism.
I have considered the following two methods which I know to be used elsewhere:
Although the application supports SSL, it does not enforce it. (I have obviously proposed that this is changed).
Session ID limited to IP address. (proxy servers and load balancers will limit the usefulness of this method).
As SSL is not currently an option, I am also considering the following:
*Session ID is returned to user by the web application as normal.
*Upon next request, the user encrypts the Session ID using the MD5 hash of their password as the key
(presumably available to JavaScript. stored as a secure cookie?). This is then posted to the server.
*The server attempts to decrypt the string with it's version of the users hash.
*If successful, and the Session ID is still valid, access is granted.
Does this sound feasible? Has anyone seen anything similar implemented?
Additionally, although Session IDs are changed every "x" requests, there is no alert/lockout for Session IDs that
attempt to be reused inside of the expiry time.
(The key indication of cookie/session stealing).
Access is denied, but no alert is given that eavesdropping may have taken place. I would like to propose the user is
signed out or alerted and administrators have a log of such events.
Is this a known method of Session ID security?
Could some of you provide your input and experience in securing this form of session management?
Thanks,
EL.
Current thread:
- Cookie Security ellukicq (Apr 28)
- Re: Cookie Security Audrius (Apr 29)
- Re: Cookie Security Orlin Gueorguiev (Apr 30)
- Re: Cookie Security Audrius (Apr 30)
- Re: Cookie Security Orlin Gueorguiev (Apr 30)
- Re: Cookie Security Red Davies (Apr 29)
- Re: Cookie Security Audrius (Apr 30)
- Re: Cookie Security Jørgen Hovelsen (Apr 30)
- <Possible follow-ups>
- Re: Cookie Security waat (Apr 29)
- Re: Re: Cookie Security ellukicq (Apr 29)
- Re: Re: Cookie Security ellukicq (Apr 30)
- Re: Re: Cookie Security Audrius (Apr 30)
(Thread continues...)
- Re: Cookie Security Audrius (Apr 29)