Security Basics mailing list archives
Re: Cookie Security
From: Audrius <organzarama () gmail com>
Date: Tue, 29 Apr 2008 16:09:57 +0300
Hi. If your application has XSS vulnerabilities, then such method will not be secure. Using XSS all client side security methods could be overcome. Your described technique could be implemented in more easy way. Every respone generate a new token, which must be returned back to server on next request. Place this token into cookies, hidden fields, url, whatever, but server must get it back on next request. If next request comes without correct token, then over the session. This method also will help you avoid CSRF vulnerabilities. On server side you can also check for users screen resolution, color depth, browser/os/flash/java version, etc. If any of these changes - over the session. But these methods will not work if your site will be vulnerable to XSS attack. Audrius
As SSL is not currently an option, I am also considering the following: *Session ID is returned to user by the web application as normal. *Upon next request, the user encrypts the Session ID using the MD5 hash of their password as the key (presumably available to JavaScript. stored as a secure cookie?). This is then posted to the server. *The server attempts to decrypt the string with it's version of the users hash. *If successful, and the Session ID is still valid, access is granted. Does this sound feasible? Has anyone seen anything similar implemented?
Current thread:
- Cookie Security ellukicq (Apr 28)
- Re: Cookie Security Audrius (Apr 29)
- Re: Cookie Security Orlin Gueorguiev (Apr 30)
- Re: Cookie Security Audrius (Apr 30)
- Re: Cookie Security Orlin Gueorguiev (Apr 30)
- Re: Cookie Security Red Davies (Apr 29)
- Re: Cookie Security Audrius (Apr 30)
- Re: Cookie Security Jørgen Hovelsen (Apr 30)
- <Possible follow-ups>
- Re: Cookie Security waat (Apr 29)
- Re: Re: Cookie Security ellukicq (Apr 29)
- Re: Re: Cookie Security ellukicq (Apr 30)
- Re: Re: Cookie Security Audrius (Apr 30)
- Re: Re: Re: Cookie Security ellukicq (Apr 30)
(Thread continues...)
- Re: Cookie Security Audrius (Apr 29)