Re: How to protect against cookie stealing?

[Brant Langer Gurganus <brantgurganus2001 () cherokeescouting org>]

Phil Cox wrote:

> All,
>
> I have a question on how people are handling cookie stealing and session
> segregation. For example, it is possible to use session cookie information
> on multiple systems for most (all?) web applications I know of.  Here is a
> scenario:
>
> When a user logs in he is assigned a BLAH_SESSIONID cookie which serves as
> an authorization mechanism in the application.  The application  does not
> associate the cookie to any session-specific information (e.g., source IP
> address), so another user can also use the BLAH_SESSIONID cookie to access
> the same information (over a different TCP/IP session) that the legitimate
> user can.  If an attacker obtains, or guesses a valid BLAH_SESSIONID cookie
> for an active session, he can use it without the user's knowledge. For
> example, I was able to execute the following command using an BLAH_SESSIONID
> that was obtained from another session: Command on Linux box: 
>
>  # curl -b "BLAH_SESSIONID=0000FDHTNLVY5WX"
> https://somesite.com/App/Function? 
>
>  Returns the page: (some portion of the returned page)
>
> Historically I have believed that having the application associate the
> BLAH_SESSIONID session cookie and its associated privileges with a specific
> SSL session or source IP address would prevent this session stealing. But
> recently I have been told that this solution does not work because of the
> dynamic IP nature of MANY ISP's and the disassociation of SSL/HTTP. I would
> like to know what others are doing to solve this problem, or if they are
> just not solving it at all.
>
> Thoughts and comments are appreciated...
>  

I know Bugzilla at bugzilla.mozilla.org makes it an option to associate 
the session with the IP.  However this fails in cases of anonymizers and 
proxies that gave many computers a single IP.  Yahoo!, for such things 
as e-mail requires reauthentication every ? minutes of inactivity.  I 
have found though that when I store a cookie for a password, I should 
store the hashed version so that if somebody gets a hold of the cookie, 
the password is still secure because the hash cannot be reversed.  I 
can't think of any parameter or combination of parameters that is truly 
unique to a single computer, but if it were possible, it would remove 
the anonymity that partially makes the Internet so popular.