Re: Re: Cookie Security

[ellukicq () icqmail com]

Hi Audrius,

XSS would definatley leave the suggested method wide open.
Although, you could say that about any method...
With XSS available to an attacker, whatever means I use to manage the session will be weak. even over https. no?


Your suggestion of returning a new SessionID for each request seems reasonable, in fact it's pretty much what I 
suggested towards the end of my post.
Even so, the token could still be sniffed and used by another client up until the legitimate user requests a page again.
In some cases, this may not happen due to an attackers actions. For example on a switched network, the very same method 
used to sniff the SessionID could be used to stop any further request from the "real" client... session stolen.
At the very least, this method would leave the application open to denial of service if an attacker can sniff session 
ID's.


Using client information (Screen res, color depth, flash e.tc.) to help confirm session seems weak. This info is 
obtained from the client isn't it?
Nothing to stop this being sniffed and spoofed also.


Are there any methods you know of that are able to work around these issues?
I can't imagine any session system will be safe with XSS available to an attacker, so perhaps the best thing to do is 
go ahead with the suggested method, and take extra care around XSS holes.


I know SSL is the "real" solution, but I wondered if anyone has attempted to secure this common system at an 
application level. perhaps not. if so thats fine.

Any input you can give would be great.

Thanks.

EL