WebApp Sec mailing list archives
Re: Session security with cookies
From: Ron <ronlists () skullsecurity com>
Date: Tue, 04 Dec 2007 12:47:35 -0600
Something I've recently been toying with is the idea of encrypting/signing cookies with a private key on the server. The the cookies can't be read or tampered with by the user, nor can they be stolen by cross-site attacks and the like.
This isn't something I've done a lot of work with, however, so I may be missing something obvious, and am open to comments on the idea.
Ron Till Elsner wrote:
Hi, i'm investigating in web application security this time and i'm trying to find some information about session management with cookies and related security issues. Can anyone point me to tips on how to make cookie based sessions more secure and how to prevent session hijacking? How secure is session handling using cookies and what are the main risks? Is anyone aware of good literature on that topic?Thanks and have a nice day Till -------------------------------------------------------------------------Sponsored by: WatchfireMethodologies & Tools for Web Application Security AssessmentWith the rapid rise in the number and types of security threats, web application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this Whitepaper today!https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F -------------------------------------------------------------------------
-------------------------------------------------------------------------Sponsored by: Watchfire Methodologies & Tools for Web Application Security Assessment With the rapid rise in the number and types of security threats, web application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this Whitepaper today!
https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F -------------------------------------------------------------------------
Current thread:
- Session security with cookies Till Elsner (Dec 04)
- Re: Session security with cookies Paul Johnston (Dec 04)
- RE: Session security with cookies Jeffory Atkinson (Dec 04)
- Re: Session security with cookies bugtraq (Dec 04)
- Re: Session security with cookies Thomas (Dec 05)
- Re: Session security with cookies Aaron Katz (Dec 05)
- Re: Session security with cookies Aaron Katz (Dec 05)
- Re: Session security with cookies Vicente Aguilera (Dec 05)
- RE: Session security with cookies WebAppSec (Dec 08)
- Re: Session security with cookies Ron (Dec 04)
- Re: Session security with cookies Aaron Katz (Dec 04)
- Re: Session security with cookies Till Elsner (Dec 05)
- Re: Session security with cookies Aaron Katz (Dec 05)
- Re: Session security with cookies Till Elsner (Dec 05)
- Re: Session security with cookies Aaron Katz (Dec 05)
- Re: Session security with cookies Aaron Shelmire (Dec 08)
- Re: Session security with cookies Eduardo Tongson (Dec 08)
- Cryptographically Generated Cookies Paul Johnston (Dec 12)
- Re: Cryptographically Generated Cookies Andy Steingruebl (Dec 14)
- Re: Cryptographically Generated Cookies Jamie Riden (Dec 14)
- Re: Session security with cookies Aaron Katz (Dec 04)