WebApp Sec mailing list archives
RE: Session Fixation
From: Noam Eppel <noam () noameppel com>
Date: Mon, 31 Mar 2003 15:41:21 -0600
From: Information Security <InformationSecurity () federatedinv com> To: "'alex () netWindows org'" <alex () netWindows org>,webappsec () securityfocus com Subject: RE: Session Fixation Date: Mon, 31 Mar 2003 15:08:07 -0500 Thanks for the comments. I disagree with a few, let me know what you think:On Monday 31 March 2003 07:19 am, Information Security wrote:I recently visited a site (I think it might have been my bank) where they actually had an option for "additional security" where you could link the session to your IP address. I was impressed, and thought it was a great option, but I'm not sure how many non-security folks would.
The pitfalls of relying on a client IP for session validation and authentication have been discussed in depth before. But client IP's can be used as part of an equation that is then hashed to make the initial session ID. If an attacker can guess how sessions are generated, session hijacking becomes easier. So it is best to use a few different sources in your equation. An equation with multiple sources can make it harder for an attacker to guess a valid session. Basically you want something you know is guaranteed unique (so no two sessions are the same), sufficiently random (hard to guess) and contains one secret. For example, Current Time - guaranteed unique. Random Function - pseudo random number. Client IP - ex. 65.78.98.20 Server Secret - "the king is great!" SESSSIONID = SaltedHASH(current time + random number + client IP + server secret) The hash can use algorithms such as MD5 (128b) SHA-1 (160b) or SHA-256 (256b) An attack can know the algorithm used, may know the client IP and might figure out the time the session was generated, but would not know the random number or server secret. Of course, most popular server side delveopment languages can automatically generate session ID so this is not a concern for most developers. Noam Eppel secure () noameppel com Web Security Consultant
Current thread:
- Session Fixation St. Clair, James (Mar 25)
- Re: Session Fixation Gary Gwin (Mar 27)
- <Possible follow-ups>
- RE: Session Fixation Mark Mcdonald (Mar 27)
- RE: Session Fixation Information Security (Mar 31)
- Re: Session Fixation Alex Russell (Mar 31)
- Re: Session Fixation HarryM (Mar 31)
- Re: Session Fixation Alex Russell (Mar 31)
- Re: Session Fixation HarryM (Mar 31)
- Re: Session Fixation Alex Russell (Mar 31)
- Re: Session Fixation Alex Russell (Mar 31)