Vulnerability Development mailing list archives

Re: Cookies

From: Slawek <sgp () TELSATGP COM PL>
Date: Wed, 9 Aug 2000 18:18:54 +0200

Tuesday, August 08, 2000 11:28 PM +0200, Denis Ducamp wrote:

On Tue, Aug 08, 2000 at 02:23:17PM -0400, Kev wrote:

In one Web-accessible application I wrote, I did indeed put the

authentication

information in a cookie, but I also put an MD5 hash of the contents of

the

cookie appended to a secret that I placed in a configuration file, to

prevent

this very security problem.  I'm curious, though, if anyone can point out
any problems with this approach?


Do you verify that :
<snip>
. a cookie generated for an IP A can't be used by an IP B ?
  Difficulty : if the user is behind a proxy that doesn't give the client

IP

  then another client behind that proxy may use that cookie.
  Other data as client software and version may be part of verified data.



oops,

afair some large ip-masquerading systems does use multiple IPs for
masquerading. It may lead to requests from one user coming from more than
one IP.

some http proxies may use similar technique.


just my $.02,
Slawek

Current thread:

Cookies George (Aug 06)
- Re: Cookies Denis Ducamp (Aug 07)
  - Re: Cookies Kev (Aug 09)
    - Re: Cookies Denis Ducamp (Aug 09)
    - Re: Cookies Kev (Aug 10)
    - Re: Cookies Denis Ducamp (Aug 10)
    - Re: Cookies Slawek (Aug 10)
    - Re: Cookies Modify (Aug 10)
- Re: Cookies Ryan Permeh (Aug 07)
- Re: Cookies Richard M. Smith (Aug 07)
  - Re: Cookies George (Aug 07)
    - Re: Cookies Crist Clark (Aug 09)
    - Re: Cookies J Edgar Hoover (Aug 12)
- Re: Cookies Crispin Cowan (Aug 07)
- <Possible follow-ups>
- Re: Cookies netsec [davidv] (Aug 08)
  - Re: Cookies Ryan Permeh (Aug 09)