RE: How can i protect against session hijacking?

["Brian Shura" <bshura73 () gmail com>]

If the web application is vulnerable to XSS and the user's machine is
infected with malware, all bets are off.

But here are some other ways to protect against session hijacking that you
didn't have on your list:

1.  Store your session token in a cookie instead of passing it around in the
URL.

2.  Mark session cookies with the "secure" flag so that they will only be
passed via an SSL connection.  This is an easy extra layer of defense to
implement. 

3.  If possible, don't set the "domain" attribute for your session cookie.
If you don't set the "domain" attribute, the cookie will only be passed back
to the hostname that set the cookie.

4.  Force an SSL connection for the website that you're trying to secure.
Don't even respond on port 80.  Don't try to pick and choose which pages
should use SSL and which pages should not use SSL - for example using SSL
for the login but not using SSL for the user's inbox is not a good idea!

5.  Use a cryptographically random session token that is not vulnerable to
guessing or prediction.

6.  Make sure your session cookie is not persistent so that it won't be
stored on the user's hard drive.


-Brian


-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of Martin O'Neal
Sent: Saturday, March 28, 2009 3:53 AM
To: Tommy; webappsec () securityfocus com
Subject: RE: How can i protect against session hijacking?


> If an attacker gets hold of the end 
> users cookies (through XSS and so
> forth), how can you actually prevent 
> session hijacking?

The short answer is that you can't (and most of the things you can try
to compensate with wont work, but will break something else, or impact
on the user experience);  as soon as you have lost the session ID, then
you have lost the session ID.

Focus your efforts on not losing the session ID.  Just my 2p. :)

Martin...