WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: improvements in session management?

From: Mark Foster <mark () foster cc>
Date: Wed, 31 Mar 2004 14:53:53 -0800
WebAppSecurity [Technicalinfo.net] wrote:

I don't see the necessity for storing the user_agent for session handling -
unless you need it to decide on which client-side code components you will
introduce as part of a dynamic application.  Like any field submitted in
HTTP(S) headers, it can be defined by the client and overwritten as
necessary - so HTTP_USER_AGENT is most certainly not a unique field that can
be trusted.
Regarding the sessionID in most cases it seems to be a token that grants the holder access to the session variables and state on the server application. So it needs to be kept "secret" to avoid session hijacking. My goal was/is to keep the "secrets" close to home. I see no reason to give the session id to the browser as a cookie or URL parameter, when the shifts the burden of trust to the user. The sessionID becomes the password in a sense. I just want to UNIQUELY identify the end-user via a browser cookie, then correlate that on the server side to an active session. So even if some joker figures out the users unique cookie, it is not enough to hijack anything, since the session is accessible only to someone who knows the unique cookie AND knows the specific USER_AGENT and is at the REMOTE_ADDR. By combining elements of authentication this is a way to achieve better security, right? 


I assume that your reference to ID1 cookie is in fact a unique,
non-guessable value - and is to all intents and purposes the sessionID for
the users connection?  In which case you don't appear to be doing anything
different from the majority of custom session management solutions - perhaps
just reinventing the wheel if the web service  you are using (IIS, Apache
etc.) already supports a solid session management structure that you could
use/reference from your custom application instead.
Ok, I have looked at apache2 modules for session mgmt and only found this: http://www.perl-studio.com/mod_auth_sim/ 
Guess I'll give it a whirl.

--
Some days it's just not worth chewing through the restraints...
Mark D. Foster, CISSP <mark () foster cc>  http://mark.foster.cc/
Previous By Date Next
Previous By Thread Next

Current thread: