Vulnerability Development mailing list archives
Re: Cookies
From: Slawek <sgp () TELSATGP COM PL>
Date: Wed, 9 Aug 2000 18:18:54 +0200
Tuesday, August 08, 2000 11:28 PM +0200, Denis Ducamp wrote:
On Tue, Aug 08, 2000 at 02:23:17PM -0400, Kev wrote:In one Web-accessible application I wrote, I did indeed put the
authentication
information in a cookie, but I also put an MD5 hash of the contents of
the
cookie appended to a secret that I placed in a configuration file, to
prevent
this very security problem. I'm curious, though, if anyone can point out any problems with this approach?Do you verify that : <snip> . a cookie generated for an IP A can't be used by an IP B ? Difficulty : if the user is behind a proxy that doesn't give the client
IP
then another client behind that proxy may use that cookie. Other data as client software and version may be part of verified data.
oops, afair some large ip-masquerading systems does use multiple IPs for masquerading. It may lead to requests from one user coming from more than one IP. some http proxies may use similar technique. just my $.02, Slawek
Current thread:
- Cookies George (Aug 06)
- Re: Cookies Denis Ducamp (Aug 07)
- Re: Cookies Kev (Aug 09)
- Re: Cookies Denis Ducamp (Aug 09)
- Re: Cookies Kev (Aug 10)
- Re: Cookies Denis Ducamp (Aug 10)
- Re: Cookies Slawek (Aug 10)
- Re: Cookies Modify (Aug 10)
- Re: Cookies Kev (Aug 09)
- Re: Cookies Denis Ducamp (Aug 07)
- Re: Cookies George (Aug 07)
- Re: Cookies Crist Clark (Aug 09)
- Re: Cookies J Edgar Hoover (Aug 12)
- <Possible follow-ups>
- Re: Cookies netsec [davidv] (Aug 08)
- Re: Cookies Ryan Permeh (Aug 09)