RE: Session ID Abuse

["Kris Wilkinson" <kris () Titan-Networks ca>]

> > 1.  Another user to change the session information on the server and 
> > change access from read only to write (by knowing the session id)?

This depends entirely on how you're setting up your application. If
you're going to plant sessions permanently on machines, I think you're
looking at major security issues ... depending on how you're setting it
up. Are you storing the unique session id in a cookie on the local
machine? I would recommend creating a login sequence which creates a
unique session id every time a user logs in. If you're looking for both
read/write access, then have the page on refresh head back to a
temporary login prompt which asks for a username and password to
authenticate.

2.  Knowing the session id (perhaps from info on the URL) can one create
another session from another browser using the same session ID?

Never store your session id anywhere that a user can find easily.

3.  How can you effectively limit concurrent access to only 1 session?

When the user logs in, grab his IP address and store this value in an
adjacent table column. Ie ... When the user is authenticated to access
the page verify the IP address against the session id in your database.
Its only a small solution to your problem, but it's a step in the right
direction.

4.  If client side certificates were to be used, could you create
another session from another browser once the first session was
authenticated?  ie, how do you restrict the access to only one browser?

Back to your session setup ... what type of session are you talking
about?

5.  If you are using server side validation for all user invoked
queries, is it still possible to force data into the application to
elevate your role?  Assume that user roles are clearly defined in the
db.

I believe you're talking about an Injection Attack? You need to make
sure all data being sent to your database is verified prior to even
running the query.

6.  If a user with high privileges (such as write to db) leaves a
workstation unattended with no session timeout, are there any controls
that one could put in place to still validate the user is the privilged
user after a period of time?  for example keep session active, but to
make any changes application must validate information on a usb key? 

It takes 2 seconds for a user to login again ... just force them to
enter their username and password.

7.  How do you choose between session ID's tagged in URL, and Session
IDs in cookies?  How do you restrict the information in either URL or
cookie so that users can't use this info to abuse the application?

You have them expire.



Thanks



Johnny