Penetration Testing mailing list archives
Re: [PEN-TEST] HTTP Secure Session State Management
From: Bennett Todd <bet () RAHUL NET>
Date: Wed, 27 Dec 2000 14:47:37 -0500
2000-12-27-09:24:40 Olle Segerdahl:
This is something you see very often, people who think the cookie has to be "computed" to be a valid security token... I do not agree.
For trivial little single-server sites, I prefer your design as well; it's a far simpler security model.
The token given to the client to "cache authentication credentials" should (IMHO) be a pseudo-random value that has no association with the actual client information and authentication credentials.
Yup, easy as can be: just pluck "cookies" off /dev/random, use 'em as keys into a local database. Except --- that database has to be visible to every web server the user might hit during a "session".
Can someone explain to me the benefits of Hugo's aproach vs. a pseudo-random value as a token?
Easily. There's no security benefit whatsoever, rather there's a security loss. But the possibility exists, if suitable care is taken in the whole system design, of storing the actual session info in the cookie, and not just an identifying key into a local database. If you can pull that off without an unacceptable loss of security, then you acquire the ability to use all the browsers as your distributed data store for session tracking, which buys you genuine scalability --- throw more servers at the farm to grow the user load you can handle. There are other approaches to scaling up to larger web farms while keeping consistent session-tracking database views available across them all. They all use technology, like e.g. RDBMSes, that adds its own costs and downsides to the overall design. If I can design so all session tracking lives within cookies, using suitable encryption and inclusion of timestamps and whatnot to make this a reasonably safe operation, then the server farm can simply and gracefully scale up by adding independant boxes behind a simple (and therefore fast) load balancer; and when I fill up the provider's pipes, I can continue growing by spreading it over multiple POPs with no tricky interconnection requirements. I _like_ designs that scale that way. Like 'em enough to be willing to try and bake cookies with just the right dash of crypto so they can provide reasonable session security. -Bennett
Attachment:
_bin
Description:
Current thread:
- [PEN-TEST] HTTP Secure Session State Management Mark Curphey (Dec 23)
- Re: [PEN-TEST] HTTP Secure Session State Management van der Kooij, Hugo (Dec 23)
- Re: [PEN-TEST] HTTP Secure Session State Management Mark Curphey (Dec 26)
- Re: [PEN-TEST] HTTP Secure Session State Management van der Kooij, Hugo (Dec 26)
- Re: [PEN-TEST] HTTP Secure Session State Management Mark Curphey (Dec 27)
- Re: [PEN-TEST] HTTP Secure Session State Management Anonymous (Dec 27)
- Re: [PEN-TEST] HTTP Secure Session State Management Olle Segerdahl (Dec 27)
- Re: [PEN-TEST] HTTP Secure Session State Management Robert van der Meulen (Dec 27)
- Re: [PEN-TEST] HTTP Secure Session State Management Bennett Todd (Dec 27)
- Re: [PEN-TEST] HTTP Secure Session State Management Mark Curphey (Dec 26)
- Re: [PEN-TEST] HTTP Secure Session State Management van der Kooij, Hugo (Dec 23)
- Re: [PEN-TEST] HTTP Secure Session State Management Thomas Reinke (Dec 26)
- Re: [PEN-TEST] HTTP Secure Session State Management Philip Stoev (Dec 27)
- Re: [PEN-TEST] HTTP Secure Session State Management van der Kooij, Hugo (Dec 27)
- Re: [PEN-TEST] HTTP Secure Session State Management Robert van der Meulen (Dec 23)
- Re: [PEN-TEST] HTTP Secure Session State Management Mark Curphey (Dec 26)
- Re: [PEN-TEST] HTTP Secure Session State Management Drew Simonis (Dec 26)
- Re: [PEN-TEST] HTTP Secure Session State Management George Capehart (Dec 27)