Penetration Testing mailing list archives

Re: [PEN-TEST] HTTP Secure Session State Management

From: Philip Stoev <philip () STOEV ORG>
Date: Sun, 24 Dec 2000 12:01:52 +0200

----- Original Message -----
From: "van der Kooij, Hugo" <Hugo.van.der.Kooij () CAIW NL>

Then you can use cookies to cache the use info for a limited time. (Don't
push it over an hour and make sure you keep them rather secure.)


One very important thing that must be repeated once more is that cookie
expiration should not be carried out by the client and the Expires
attribute, but must be performed by the server.

You should always be prepared to handle the case when you get back an old
cookie that the client refused to expire for one reason or another
(specially malformed client, cookie sniffed by someone else, etc.)

------------------------------------------------------------

----- Original Message -----
From: "Drew Simonis" <simonis () myself com>

My prefered method is to store the important information on the
server, either in a database or a unique file.  The only info I
pass between the server and the client is the unique identifier
(session id) which I do my best to make as random as possible.

Something like an MD5 hash is pretty good for this.  Perhaps
a hash of the user's first and last name, address and the record ID.


The IP address must always be a part of the session ID, and must be checked
for accuracy at all stages. You should ask for password again if the user
suddenly starts to make HTTP requests from another IP address than the one
he initially authenticated with. I do not think this is paranoid, but it
rather prevents somebody else's hijacking your login form and creating a
man-in-the-middle situation. It is not the best possible protection, but
will work in most cases.

Philip

Current thread:

[PEN-TEST] HTTP Secure Session State Management Mark Curphey (Dec 23)
- Re: [PEN-TEST] HTTP Secure Session State Management van der Kooij, Hugo (Dec 23)
  - Re: [PEN-TEST] HTTP Secure Session State Management Mark Curphey (Dec 26)
    - Re: [PEN-TEST] HTTP Secure Session State Management van der Kooij, Hugo (Dec 26)
    - Re: [PEN-TEST] HTTP Secure Session State Management Mark Curphey (Dec 27)
    - Re: [PEN-TEST] HTTP Secure Session State Management Anonymous (Dec 27)
    - Re: [PEN-TEST] HTTP Secure Session State Management Olle Segerdahl (Dec 27)
    - Re: [PEN-TEST] HTTP Secure Session State Management Robert van der Meulen (Dec 27)
    - Re: [PEN-TEST] HTTP Secure Session State Management Bennett Todd (Dec 27)
  - Re: [PEN-TEST] HTTP Secure Session State Management Philip Stoev (Dec 26)
    - Re: [PEN-TEST] HTTP Secure Session State Management Thomas Reinke (Dec 26)
    - Re: [PEN-TEST] HTTP Secure Session State Management Philip Stoev (Dec 27)
    - Re: [PEN-TEST] HTTP Secure Session State Management van der Kooij, Hugo (Dec 27)
- Re: [PEN-TEST] HTTP Secure Session State Management Drew Simonis (Dec 23)
  - Re: [PEN-TEST] HTTP Secure Session State Management Robert van der Meulen (Dec 23)
    - Re: [PEN-TEST] HTTP Secure Session State Management Mark Curphey (Dec 26)
    - Re: [PEN-TEST] HTTP Secure Session State Management Drew Simonis (Dec 26)
    - Re: [PEN-TEST] HTTP Secure Session State Management George Capehart (Dec 27)
  - Re: [PEN-TEST] HTTP Secure Session State Management Mark Curphey (Dec 26)
    - Re: [PEN-TEST] HTTP Secure Session State Management Drew Simonis (Dec 27)

(Thread continues...)