WebApp Sec mailing list archives
RE: How can i protect against session hijacking?
From: "Brian Shura" <bshura73 () gmail com>
Date: Sat, 28 Mar 2009 08:51:21 -0700
If the web application is vulnerable to XSS and the user's machine is infected with malware, all bets are off. But here are some other ways to protect against session hijacking that you didn't have on your list: 1. Store your session token in a cookie instead of passing it around in the URL. 2. Mark session cookies with the "secure" flag so that they will only be passed via an SSL connection. This is an easy extra layer of defense to implement. 3. If possible, don't set the "domain" attribute for your session cookie. If you don't set the "domain" attribute, the cookie will only be passed back to the hostname that set the cookie. 4. Force an SSL connection for the website that you're trying to secure. Don't even respond on port 80. Don't try to pick and choose which pages should use SSL and which pages should not use SSL - for example using SSL for the login but not using SSL for the user's inbox is not a good idea! 5. Use a cryptographically random session token that is not vulnerable to guessing or prediction. 6. Make sure your session cookie is not persistent so that it won't be stored on the user's hard drive. -Brian -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Martin O'Neal Sent: Saturday, March 28, 2009 3:53 AM To: Tommy; webappsec () securityfocus com Subject: RE: How can i protect against session hijacking?
If an attacker gets hold of the end users cookies (through XSS and so forth), how can you actually prevent session hijacking?
The short answer is that you can't (and most of the things you can try to compensate with wont work, but will break something else, or impact on the user experience); as soon as you have lost the session ID, then you have lost the session ID. Focus your efforts on not losing the session ID. Just my 2p. :) Martin...
Current thread:
- How can i protect against session hijacking? Tommy (Mar 27)
- Re: How can i protect against session hijacking? Marco M. Morana (Mar 28)
- Re: How can i protect against session hijacking? Robin Wood (Mar 30)
- Re: How can i protect against session hijacking? Marco M. Morana (Mar 30)
- Re: How can i protect against session hijacking? Robin Wood (Mar 30)
- RE: How can i protect against session hijacking? Debasis Mohanty (Mar 31)
- <Possible follow-ups>
- RE: How can i protect against session hijacking? Martin O'Neal (Mar 28)
- RE: How can i protect against session hijacking? Brian Shura (Mar 28)
- Re: How can i protect against session hijacking? Marco M. Morana (Mar 30)
- RE: How can i protect against session hijacking? Martin O'Neal (Mar 30)
- Re: How can i protect against session hijacking? Marco M. Morana (Mar 28)