Re: How to protect against cookie stealing?

[Ken Anderson <ka () pacific net>]

Are there any web application frameworks that implement per
action/screen session cookies? Java or perl libraries to help with
this seemingly complex task? I can imagine a case where a click back 
might give you some grief...

Thanks,
Ken A.

Mark Reardon wrote:

> 2. Any static cookie is subject to being stolen. What the government
> used to require of internet banks (1995 and 1996) was that cookies
> had to change on a per screen (or action) basis. If the wrong cookie
> was received the session was logged out.
>
> I believe we used a random number that was then encrypted. The key
> that was derived from a hash of bits such as the host portion of the
> browser's network socket and the browser's identifying HTTP string.
> Thus, each session had potentially a different key value that was
> recoverable from the information available to a CGI.
>
> Since each screen had a different random value, the combination
> caused hard crack attempts to be too time consuming and frankly,
> difficult, to be of value. We also had a short timeout so an idle
> browser only had so much exposure. It wasn't perfect but it closed
> things down a bit.
>
> We stored the random value in our backend database. The advanage of
> this is that the web servers could fail over (causing an SSL session
> renegotiation) and the banking session would not die. However, if the
> browser were to fail over or change IP address, we would have logged
> the user out of their session due to a bad cookie.
>
>
>
> Mark
>
> ---- Mark Reardon Reardon Information Security Corporation (404)
> 444-0041