WebApp Sec mailing list archives
Re: How to protect against cookie stealing?
From: Ken Anderson <ka () pacific net>
Date: Thu, 24 Jul 2003 10:24:39 -0700
Are there any web application frameworks that implement per action/screen session cookies? Java or perl libraries to help withthis seemingly complex task? I can imagine a case where a click back might give you some grief...
Thanks, Ken A. Mark Reardon wrote:
2. Any static cookie is subject to being stolen. What the government used to require of internet banks (1995 and 1996) was that cookies had to change on a per screen (or action) basis. If the wrong cookie was received the session was logged out. I believe we used a random number that was then encrypted. The key that was derived from a hash of bits such as the host portion of the browser's network socket and the browser's identifying HTTP string. Thus, each session had potentially a different key value that was recoverable from the information available to a CGI. Since each screen had a different random value, the combination caused hard crack attempts to be too time consuming and frankly, difficult, to be of value. We also had a short timeout so an idle browser only had so much exposure. It wasn't perfect but it closed things down a bit. We stored the random value in our backend database. The advanage of this is that the web servers could fail over (causing an SSL session renegotiation) and the banking session would not die. However, if the browser were to fail over or change IP address, we would have logged the user out of their session due to a bad cookie. Mark ---- Mark Reardon Reardon Information Security Corporation (404) 444-0041
Current thread:
- Re: How to protect against cookie stealing?, (continued)
- Re: How to protect against cookie stealing? Brant Langer Gurganus (Jul 24)
- Re: How to protect against cookie stealing? Bill Pennington (Jul 24)
- Re: How to protect against cookie stealing? Marc Slemko (Jul 27)
- RE: How to protect against cookie stealing? Dawes, Rogan (ZA - Johannesburg) (Jul 24)
- RE: How to protect against cookie stealing? .:[ Death Star]:. (Jul 24)
- Re: How to protect against cookie stealing? Chris Green (Jul 26)
- Re: How to protect against cookie stealing? Erik Kangas, PhD (Jul 26)
- RE: How to protect against cookie stealing? .:[ Death Star]:. (Jul 24)
- RE: How to protect against cookie stealing? Ingo Struck (Jul 24)
- RE: How to protect against cookie stealing? Gabriel Lawrence (Jul 27)
- Re: How to protect against cookie stealing? Mark Reardon (Jul 24)
- Re: How to protect against cookie stealing? Ken Anderson (Jul 24)
- RE: How to protect against cookie stealing? Dawes, Rogan (ZA - Johannesburg) (Jul 27)
- RE: How to protect against cookie stealing? .:[ Death Star]:. (Jul 27)
- RE: How to protect against cookie stealing? Dawes, Rogan (ZA - Johannesburg) (Jul 27)
- RE: How to protect against cookie stealing? Dawes, Rogan (ZA - Johannesburg) (Jul 28)
- RE: How to protect against cookie stealing? PortSwigger (Jul 29)