Penetration Testing mailing list archives
Re: [PEN-TEST] HTTP Secure Session State Management
From: Philip Stoev <philip () STOEV ORG>
Date: Sun, 24 Dec 2000 12:01:52 +0200
----- Original Message ----- From: "van der Kooij, Hugo" <Hugo.van.der.Kooij () CAIW NL>
Then you can use cookies to cache the use info for a limited time. (Don't push it over an hour and make sure you keep them rather secure.)
One very important thing that must be repeated once more is that cookie expiration should not be carried out by the client and the Expires attribute, but must be performed by the server. You should always be prepared to handle the case when you get back an old cookie that the client refused to expire for one reason or another (specially malformed client, cookie sniffed by someone else, etc.) ------------------------------------------------------------ ----- Original Message ----- From: "Drew Simonis" <simonis () myself com>
My prefered method is to store the important information on the server, either in a database or a unique file. The only info I pass between the server and the client is the unique identifier (session id) which I do my best to make as random as possible. Something like an MD5 hash is pretty good for this. Perhaps a hash of the user's first and last name, address and the record ID.
The IP address must always be a part of the session ID, and must be checked for accuracy at all stages. You should ask for password again if the user suddenly starts to make HTTP requests from another IP address than the one he initially authenticated with. I do not think this is paranoid, but it rather prevents somebody else's hijacking your login form and creating a man-in-the-middle situation. It is not the best possible protection, but will work in most cases. Philip
Current thread:
- [PEN-TEST] HTTP Secure Session State Management Mark Curphey (Dec 23)
- Re: [PEN-TEST] HTTP Secure Session State Management van der Kooij, Hugo (Dec 23)
- Re: [PEN-TEST] HTTP Secure Session State Management Mark Curphey (Dec 26)
- Re: [PEN-TEST] HTTP Secure Session State Management van der Kooij, Hugo (Dec 26)
- Re: [PEN-TEST] HTTP Secure Session State Management Mark Curphey (Dec 27)
- Re: [PEN-TEST] HTTP Secure Session State Management Anonymous (Dec 27)
- Re: [PEN-TEST] HTTP Secure Session State Management Olle Segerdahl (Dec 27)
- Re: [PEN-TEST] HTTP Secure Session State Management Robert van der Meulen (Dec 27)
- Re: [PEN-TEST] HTTP Secure Session State Management Bennett Todd (Dec 27)
- Re: [PEN-TEST] HTTP Secure Session State Management Mark Curphey (Dec 26)
- Re: [PEN-TEST] HTTP Secure Session State Management van der Kooij, Hugo (Dec 23)
- Re: [PEN-TEST] HTTP Secure Session State Management Thomas Reinke (Dec 26)
- Re: [PEN-TEST] HTTP Secure Session State Management Philip Stoev (Dec 27)
- Re: [PEN-TEST] HTTP Secure Session State Management van der Kooij, Hugo (Dec 27)
- Re: [PEN-TEST] HTTP Secure Session State Management Robert van der Meulen (Dec 23)
- Re: [PEN-TEST] HTTP Secure Session State Management Mark Curphey (Dec 26)
- Re: [PEN-TEST] HTTP Secure Session State Management Drew Simonis (Dec 26)
- Re: [PEN-TEST] HTTP Secure Session State Management George Capehart (Dec 27)
- Re: [PEN-TEST] HTTP Secure Session State Management Drew Simonis (Dec 27)