Security Basics mailing list archives
Re: Cookie Security
From: Jørgen Hovelsen <jorgen.hovelsen () ntnu no>
Date: Wed, 30 Apr 2008 11:31:17 +0200
Red Davies wrote:
Greetings,I simply have to sniff the session id cookie, and specify this from another client, and I am signed into the application as the associated user.It is a very simple attack vector. One that I've used successfully in a pen-test. One simple method which would make its use even harder would be to encode the clients IP address in the token. Then you can perform some simple algorithm on your server to check if your remote client's IP matches that which is encoded in your token. If not, you know you it's stolen.
What if a user moves his/her computer to another location and gets another ip-address. Then the server would think its a stolen token, but in fact its not.
-- mvh Jørgen H.
Current thread:
- Cookie Security ellukicq (Apr 28)
- Re: Cookie Security Audrius (Apr 29)
- Re: Cookie Security Orlin Gueorguiev (Apr 30)
- Re: Cookie Security Audrius (Apr 30)
- Re: Cookie Security Orlin Gueorguiev (Apr 30)
- Re: Cookie Security Red Davies (Apr 29)
- Re: Cookie Security Audrius (Apr 30)
- Re: Cookie Security Jørgen Hovelsen (Apr 30)
- <Possible follow-ups>
- Re: Cookie Security waat (Apr 29)
- Re: Re: Cookie Security ellukicq (Apr 29)
- Re: Re: Cookie Security ellukicq (Apr 30)
- Re: Re: Cookie Security Audrius (Apr 30)
- Re: Re: Re: Cookie Security ellukicq (Apr 30)
- Re: Re: Cookie Security Audrius (Apr 30)
- Re: Cookie Security Audrius (Apr 29)