WebApp Sec mailing list archives

Re: How to protect against cookie stealing?

From: "Erik Kangas, PhD" <kangas () luxsci com>
Date: Sat, 26 Jul 2003 10:21:21 -0400 (EDT)

".:[ Death Star]:." <deathstar () optonline net> writes:


There is another solution, you can use both sessionID's and cookies, so
based on the IP address you would look for the cookie before giving the
user access control. The session ID will store 2 fields (example userid
and associated ip address) the cookie will hold other fields. And u can
use multiple sessions and multiple cookies that will be destroyed upon
opening another page.


Has anyone going down this route of incorporating an IP address into
the cookie gotten pushback from people on networks with multiple
proxies or routing rules?


We have never seen a problem with any one person appearing to come from
multiple IP addresses in a single session.  You can use another piece of
information which is less unique, but still pretty diverse -- the user agent.
One trick is to make a hash of the user agent string + the cookie time stamp +
some secret key and use this in combination with the session id as a
validator.  I.e. you would have 2 cookies (or 1 cookie with 2 parts) - 
the session ID and the validation hash.  When you get the cookies
back, you validate the existance of the session, that the session has not 
timed out, and that it comes from a valid person.

You can still have cookie stealing if the stealer knows your
validation alg. and steals the cookies and spoofs the user agent and any 
other variable information that you are using in your validtaion hash.  But 
then, all of this information be spoofed, including IP addresses.

If you are worried about sessions with multiple IPs, you could mask the IP
and take the first 2 octets, for example.  This would not solve the
problem completely, but would mitigate it.

If you are really, really worried, use secure cookies.  These can only really 
be stolen via direct access to the client machine.
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Erik Kangas, Ph.D. --- President of Lux Scientiae, Incorporated

Lux Scientiae:       1-800-441-6612        46 Central Street
FAX:                 1-413-332-0598        Somerville, Massachusetts
Cell:                1-617-596-9558        02143, United States of America
AOL Messenger:       "luxsci"

kangas () luxsci com  ---  http://luxsci.com

Current thread:

How to protect against cookie stealing? Phil Cox (Jul 24)
- Re: How to protect against cookie stealing? Brant Langer Gurganus (Jul 24)
- Re: How to protect against cookie stealing? Bill Pennington (Jul 24)
- Re: How to protect against cookie stealing? Marc Slemko (Jul 27)
- <Possible follow-ups>
- RE: How to protect against cookie stealing? Dawes, Rogan (ZA - Johannesburg) (Jul 24)
  - RE: How to protect against cookie stealing? .:[ Death Star]:. (Jul 24)
    - Re: How to protect against cookie stealing? Chris Green (Jul 26)
    - Re: How to protect against cookie stealing? Erik Kangas, PhD (Jul 26)
- RE: How to protect against cookie stealing? Ingo Struck (Jul 24)
  - RE: How to protect against cookie stealing? Gabriel Lawrence (Jul 27)
- Re: How to protect against cookie stealing? Mark Reardon (Jul 24)
  - Re: How to protect against cookie stealing? Ken Anderson (Jul 24)
- RE: How to protect against cookie stealing? Dawes, Rogan (ZA - Johannesburg) (Jul 27)
  - RE: How to protect against cookie stealing? .:[ Death Star]:. (Jul 27)
- RE: How to protect against cookie stealing? Dawes, Rogan (ZA - Johannesburg) (Jul 27)
- RE: How to protect against cookie stealing? Dawes, Rogan (ZA - Johannesburg) (Jul 28)
- RE: How to protect against cookie stealing? PortSwigger (Jul 29)