Re: How can i protect against session hijacking?

[Justin Clarke <justin () justinclarke com>]

One possibility is the WAF tying the session cookie to the SSL session -
i.e. The session information is internally related in the WAF to a single
known SSL session, and therefore you shouldn't be able to use that session
identifier from another machine, or even from another browser on the same
machine.

No idea how problematic this is in practice - some of the solutions included
in the RFI we ran for a client recently noted this capability.  Would be
interested if anyone has ever seen this work.

Justin  


On 02/04/2009 07:02, "Martin O'Neal" <martin.oneal () corsaire com> wrote:

> > Try installing a Web Application Firewall (WAF)
> > that prevents attacks like this, there are several
> > on the market...
>
> LOL; this I want to hear.  Explain how a WAF addresses:
>
> "If an attacker gets hold of the end users cookies (through XSS and so
> forth), how can you actually prevent session hijacking?"
>
> Oh, and just to be specific, in this scenario the relevant bit is the
> session hijacking; the cookies and session ID are already lost via some
> mechanism (which isn't of interest).
>
> Martin...