WebApp Sec mailing list archives
Re: How to protect against cookie stealing?
From: Brant Langer Gurganus <brantgurganus2001 () cherokeescouting org>
Date: Thu, 24 Jul 2003 08:07:23 -0500
Phil Cox wrote:
All, I have a question on how people are handling cookie stealing and session segregation. For example, it is possible to use session cookie information on multiple systems for most (all?) web applications I know of. Here is a scenario: When a user logs in he is assigned a BLAH_SESSIONID cookie which serves as an authorization mechanism in the application. The application does not associate the cookie to any session-specific information (e.g., source IP address), so another user can also use the BLAH_SESSIONID cookie to access the same information (over a different TCP/IP session) that the legitimate user can. If an attacker obtains, or guesses a valid BLAH_SESSIONID cookie for an active session, he can use it without the user's knowledge. For example, I was able to execute the following command using an BLAH_SESSIONIDthat was obtained from another session: Command on Linux box:# curl -b "BLAH_SESSIONID=0000FDHTNLVY5WX"https://somesite.com/App/Function?Returns the page: (some portion of the returned page) Historically I have believed that having the application associate the BLAH_SESSIONID session cookie and its associated privileges with a specific SSL session or source IP address would prevent this session stealing. But recently I have been told that this solution does not work because of the dynamic IP nature of MANY ISP's and the disassociation of SSL/HTTP. I would like to know what others are doing to solve this problem, or if they are just not solving it at all. Thoughts and comments are appreciated...
I know Bugzilla at bugzilla.mozilla.org makes it an option to associate the session with the IP. However this fails in cases of anonymizers and proxies that gave many computers a single IP. Yahoo!, for such things as e-mail requires reauthentication every ? minutes of inactivity. I have found though that when I store a cookie for a password, I should store the hashed version so that if somebody gets a hold of the cookie, the password is still secure because the hash cannot be reversed. I can't think of any parameter or combination of parameters that is truly unique to a single computer, but if it were possible, it would remove the anonymity that partially makes the Internet so popular.
Current thread:
- How to protect against cookie stealing? Phil Cox (Jul 24)
- Re: How to protect against cookie stealing? Brant Langer Gurganus (Jul 24)
- Re: How to protect against cookie stealing? Bill Pennington (Jul 24)
- Re: How to protect against cookie stealing? Marc Slemko (Jul 27)
- <Possible follow-ups>
- RE: How to protect against cookie stealing? Dawes, Rogan (ZA - Johannesburg) (Jul 24)
- RE: How to protect against cookie stealing? .:[ Death Star]:. (Jul 24)
- Re: How to protect against cookie stealing? Chris Green (Jul 26)
- Re: How to protect against cookie stealing? Erik Kangas, PhD (Jul 26)
- RE: How to protect against cookie stealing? .:[ Death Star]:. (Jul 24)
- RE: How to protect against cookie stealing? Ingo Struck (Jul 24)
- RE: How to protect against cookie stealing? Gabriel Lawrence (Jul 27)
- Re: How to protect against cookie stealing? Mark Reardon (Jul 24)
- Re: How to protect against cookie stealing? Ken Anderson (Jul 24)