WebApp Sec mailing list archives
Re: Session security with cookies
From: bugtraq () cgisecurity net
Date: Tue, 4 Dec 2007 17:24:30 -0500 (EST)
Here are some factors that you will want to ensure. -Session token is delivered after authentication -Each session token is unique and not predictable (requiring a strong random token generator) -Session token is transfer over an encrypted tunnel -Session token is marked secure -Ensure the session is terminated at logout -Ensure the session times out in a reasonable amount of time -All access control should be based on the user's session token and only the session token Optional Don't allow concurrent sessions. Don't allow IP hopping. (Changing of IP address mid session.)
IP hopping is normal on large ISP's (take AOL's proxy network). If you're willing to contact aol/other networks that utilize this behavior and have peroid updates of their hosts in an attempt to whitelist then go for it. Most people don't go through the trouble which is why disallowing hopping is impractical for most businesses. Regards, - Robert http://www.cgisecurity.com/ Application Security news and more
There are more details that I am sure that someone one the list will help fill in for you. But I believe these are a good start. -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Till Elsner Sent: Monday, December 03, 2007 6:32 PM To: webappsec () securityfocus com Subject: Session security with cookies Hi, i'm investigating in web application security this time and i'm trying to find some information about session management with cookies and related security issues. Can anyone point me to tips on how to make cookie based sessions more secure and how to prevent session hijacking? How secure is session handling using cookies and what are the main risks? Is anyone aware of good literature on that topic? Thanks and have a nice day Till ------------------------------------------------------------------------ - Sponsored by: Watchfire Methodologies & Tools for Web Application Security Assessment With the rapid rise in the number and types of security threats, web application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this Whitepaper today! https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F ------------------------------------------------------------------------ - ------------------------------------------------------------------------- Sponsored by: Watchfire Methodologies & Tools for Web Application Security Assessment With the rapid rise in the number and types of security threats, web application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this Whitepaper today! https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F -------------------------------------------------------------------------
------------------------------------------------------------------------- Sponsored by: Watchfire Methodologies & Tools for Web Application Security Assessment With the rapid rise in the number and types of security threats, web application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this Whitepaper today! https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F -------------------------------------------------------------------------
Current thread:
- Session security with cookies Till Elsner (Dec 04)
- Re: Session security with cookies Paul Johnston (Dec 04)
- RE: Session security with cookies Jeffory Atkinson (Dec 04)
- Re: Session security with cookies bugtraq (Dec 04)
- Re: Session security with cookies Thomas (Dec 05)
- Re: Session security with cookies Aaron Katz (Dec 05)
- Re: Session security with cookies Aaron Katz (Dec 05)
- Re: Session security with cookies Vicente Aguilera (Dec 05)
- RE: Session security with cookies WebAppSec (Dec 08)
- Re: Session security with cookies Ron (Dec 04)
- Re: Session security with cookies Aaron Katz (Dec 04)
- Re: Session security with cookies Till Elsner (Dec 05)
- Re: Session security with cookies Aaron Katz (Dec 05)
- Re: Session security with cookies Till Elsner (Dec 05)
- Re: Session security with cookies Aaron Katz (Dec 04)