WebApp Sec mailing list archives
Re: improvements in session management?
From: dd <dd () ghettohackers net>
Date: Wed, 31 Mar 2004 16:39:08 -0800
While including additional information is nice, be careful that you don't also pick information that may not stay the same during a valid session. For instance, REMOTE_ADDR can change due to a load balanced proxy setup.
There are several methods for making it very hard to use a stolen sessionid cookie. This could include checking things like user agent, acceptable languages, but better by adding data that changes on each request via cookie, form field, etc (call this the SINGLEUSEID). In addition, make sure a user can only be part of a single valid session. One could also invalidate a session if an unexpected SINGLEUSEID is seen.
Usually, if you are willing to use this method of securing a sessionid token the user is also coming in over SSL. The SSL key/cert in use shouldn't change and therefor there is a perfect opportunity to include some information (keyid, certid, etc) into the session for additional verification.
This of course still leaves the user open to browser hijacking via a XSS. dd Mark Foster wrote:
WebAppSecurity [Technicalinfo.net] wrote:I don't see the necessity for storing the user_agent for session handling - unless you need it to decide on which client-side code components you willintroduce as part of a dynamic application. Like any field submitted in HTTP(S) headers, it can be defined by the client and overwritten asnecessary - so HTTP_USER_AGENT is most certainly not a unique field that canbe trusted.Regarding the sessionID in most cases it seems to be a token that grants the holder access to the session variables and state on the server application. So it needs to be kept "secret" to avoid session hijacking. My goal was/is to keep the "secrets" close to home. I see no reason to give the session id to the browser as a cookie or URL parameter, when the shifts the burden of trust to the user. The sessionID becomes the password in a sense. I just want to UNIQUELY identify the end-user via a browser cookie, then correlate that on the server side to an active session. So even if some joker figures out the users unique cookie, it is not enough to hijack anything, since the session is accessible only to someone who knows the unique cookie AND knows the specific USER_AGENT and is at the REMOTE_ADDR. By combining elements of authentication this is a way to achieve better security, right?
Current thread:
- Re: improvements in session management? dd (Mar 31)
- Re: improvements in session management? Michael Ströder (Apr 01)
- Re: improvements in session management? dd (Apr 01)
- RE: improvements in session management? WebAppSecurity [Technicalinfo.net] (Apr 01)
- Re: improvements in session management? Michael Ströder (Apr 01)
- Re: improvements in session management? Michael Ströder (Apr 01)
- Re: improvements in session management? dd (Apr 01)
- RE: improvements in session management? WebAppSecurity [Technicalinfo.net] (Apr 01)
- Re: improvements in session management? Michael Ströder (Apr 01)
- Re: improvements in session management? Michael Ströder (Apr 01)
- <Possible follow-ups>
- Re: improvements in session management? Michael Ströder (Mar 31)
- Re: improvements in session management? Tim Akinbo (Apr 01)