WebApp Sec mailing list archives
How to protect against cookie stealing?
From: "Phil Cox" <Phil.Cox () SystemExperts com>
Date: Wed, 23 Jul 2003 22:33:45 -0700
All, I have a question on how people are handling cookie stealing and session segregation. For example, it is possible to use session cookie information on multiple systems for most (all?) web applications I know of. Here is a scenario: When a user logs in he is assigned a BLAH_SESSIONID cookie which serves as an authorization mechanism in the application. The application does not associate the cookie to any session-specific information (e.g., source IP address), so another user can also use the BLAH_SESSIONID cookie to access the same information (over a different TCP/IP session) that the legitimate user can. If an attacker obtains, or guesses a valid BLAH_SESSIONID cookie for an active session, he can use it without the user's knowledge. For example, I was able to execute the following command using an BLAH_SESSIONID that was obtained from another session: Command on Linux box: # curl -b "BLAH_SESSIONID=0000FDHTNLVY5WX" https://somesite.com/App/Function? Returns the page: (some portion of the returned page) Historically I have believed that having the application associate the BLAH_SESSIONID session cookie and its associated privileges with a specific SSL session or source IP address would prevent this session stealing. But recently I have been told that this solution does not work because of the dynamic IP nature of MANY ISP's and the disassociation of SSL/HTTP. I would like to know what others are doing to solve this problem, or if they are just not solving it at all. Thoughts and comments are appreciated... Phil
Current thread:
- How to protect against cookie stealing? Phil Cox (Jul 24)
- Re: How to protect against cookie stealing? Brant Langer Gurganus (Jul 24)
- Re: How to protect against cookie stealing? Bill Pennington (Jul 24)
- Re: How to protect against cookie stealing? Marc Slemko (Jul 27)
- <Possible follow-ups>
- RE: How to protect against cookie stealing? Dawes, Rogan (ZA - Johannesburg) (Jul 24)
- RE: How to protect against cookie stealing? .:[ Death Star]:. (Jul 24)
- Re: How to protect against cookie stealing? Chris Green (Jul 26)
- Re: How to protect against cookie stealing? Erik Kangas, PhD (Jul 26)
- RE: How to protect against cookie stealing? .:[ Death Star]:. (Jul 24)
- RE: How to protect against cookie stealing? Ingo Struck (Jul 24)
- RE: How to protect against cookie stealing? Gabriel Lawrence (Jul 27)
- Re: How to protect against cookie stealing? Mark Reardon (Jul 24)