WebApp Sec mailing list archives
Re: How to protect against cookie stealing?
From: "Erik Kangas, PhD" <kangas () luxsci com>
Date: Sat, 26 Jul 2003 10:21:21 -0400 (EDT)
".:[ Death Star]:." <deathstar () optonline net> writes:There is another solution, you can use both sessionID's and cookies, so based on the IP address you would look for the cookie before giving the user access control. The session ID will store 2 fields (example userid and associated ip address) the cookie will hold other fields. And u can use multiple sessions and multiple cookies that will be destroyed upon opening another page.Has anyone going down this route of incorporating an IP address into the cookie gotten pushback from people on networks with multiple proxies or routing rules?
We have never seen a problem with any one person appearing to come from multiple IP addresses in a single session. You can use another piece of information which is less unique, but still pretty diverse -- the user agent. One trick is to make a hash of the user agent string + the cookie time stamp + some secret key and use this in combination with the session id as a validator. I.e. you would have 2 cookies (or 1 cookie with 2 parts) - the session ID and the validation hash. When you get the cookies back, you validate the existance of the session, that the session has not timed out, and that it comes from a valid person. You can still have cookie stealing if the stealer knows your validation alg. and steals the cookies and spoofs the user agent and any other variable information that you are using in your validtaion hash. But then, all of this information be spoofed, including IP addresses. If you are worried about sessions with multiple IPs, you could mask the IP and take the first 2 octets, for example. This would not solve the problem completely, but would mitigate it. If you are really, really worried, use secure cookies. These can only really be stolen via direct access to the client machine. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Erik Kangas, Ph.D. --- President of Lux Scientiae, Incorporated Lux Scientiae: 1-800-441-6612 46 Central Street FAX: 1-413-332-0598 Somerville, Massachusetts Cell: 1-617-596-9558 02143, United States of America AOL Messenger: "luxsci" kangas () luxsci com --- http://luxsci.com
Current thread:
- How to protect against cookie stealing? Phil Cox (Jul 24)
- Re: How to protect against cookie stealing? Brant Langer Gurganus (Jul 24)
- Re: How to protect against cookie stealing? Bill Pennington (Jul 24)
- Re: How to protect against cookie stealing? Marc Slemko (Jul 27)
- <Possible follow-ups>
- RE: How to protect against cookie stealing? Dawes, Rogan (ZA - Johannesburg) (Jul 24)
- RE: How to protect against cookie stealing? .:[ Death Star]:. (Jul 24)
- Re: How to protect against cookie stealing? Chris Green (Jul 26)
- Re: How to protect against cookie stealing? Erik Kangas, PhD (Jul 26)
- RE: How to protect against cookie stealing? .:[ Death Star]:. (Jul 24)
- RE: How to protect against cookie stealing? Ingo Struck (Jul 24)
- RE: How to protect against cookie stealing? Gabriel Lawrence (Jul 27)
- Re: How to protect against cookie stealing? Mark Reardon (Jul 24)
- Re: How to protect against cookie stealing? Ken Anderson (Jul 24)
- RE: How to protect against cookie stealing? Dawes, Rogan (ZA - Johannesburg) (Jul 27)
- RE: How to protect against cookie stealing? .:[ Death Star]:. (Jul 27)
- RE: How to protect against cookie stealing? Dawes, Rogan (ZA - Johannesburg) (Jul 27)
- RE: How to protect against cookie stealing? Dawes, Rogan (ZA - Johannesburg) (Jul 28)
- RE: How to protect against cookie stealing? PortSwigger (Jul 29)