Re: Session security with cookies

[bugtraq () cgisecurity net]

> Here are some factors that you will want to ensure. 
> -Session token is delivered after authentication
> -Each session token is unique and not predictable (requiring a strong
> random token generator)  
> -Session token is transfer over an encrypted tunnel
> -Session token is marked secure
> -Ensure the session is terminated at logout
> -Ensure the session times out in a reasonable amount of time
> -All access control should be based on the user's session token and only
> the session token
> Optional
>       Don't allow concurrent sessions.
>       Don't allow IP hopping. (Changing of IP address mid session.)

IP hopping is normal on large ISP's (take AOL's proxy network). If you're willing
to contact aol/other networks that utilize this behavior and have peroid updates
of their hosts in an attempt to whitelist then go for it. Most people don't go through
the trouble which is why disallowing hopping is impractical for most businesses. 
 
Regards,
- Robert
http://www.cgisecurity.com/ Application Security news and more



> There are more details that I am sure that someone one the list will
> help fill in for you. But I believe these are a good start.  
>
>
> -----Original Message-----
> From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
> On Behalf Of Till Elsner
> Sent: Monday, December 03, 2007 6:32 PM
> To: webappsec () securityfocus com
> Subject: Session security with cookies
>
> Hi, i'm investigating in web application security this time and i'm  
> trying to find some information about session management with cookies  
> and related security issues. Can anyone point me to tips on how to  
> make cookie based sessions more secure and how to prevent session  
> hijacking? How secure is session handling using cookies and what are  
> the main risks? Is anyone aware of good literature on that topic?
> Thanks and have a nice day
> Till
>
> ------------------------------------------------------------------------
> -
> Sponsored by: Watchfire 
> Methodologies & Tools for Web Application Security Assessment 
> With the rapid rise in the number and types of security threats, web
> application security assessments should be considered a crucial phase in
> the development of any web application. What methodology should be
> followed? What tools can accelerate the assessment process? Download
> this Whitepaper today! 
>
> https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
> ------------------------------------------------------------------------
> -
>
>
>
> -------------------------------------------------------------------------
> Sponsored by: Watchfire 
> Methodologies & Tools for Web Application Security Assessment 
> With the rapid rise in the number and types of security threats, web application security assessments should be 
> considered a crucial phase in the development of any web application. What methodology should be followed? What tools 
> can accelerate the assessment process? Download this Whitepaper today! 
>
> https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
> -------------------------------------------------------------------------


-------------------------------------------------------------------------
Sponsored by: Watchfire 
Methodologies & Tools for Web Application Security Assessment 
With the rapid rise in the number and types of security threats, web application security assessments should be 
considered a crucial phase in the development of any web application. What methodology should be followed? What tools 
can accelerate the assessment process? Download this Whitepaper today! 

https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
-------------------------------------------------------------------------