Re: Protecting against Cookie copying
[prev]
[thread]
[next]
[Date index for 2004/11/08]
Thanks everyone. You've done a good job of assuring me
that I haven't missed the whole point of the way these
things work.
There's been some really useful ideas, suggested and
I'm going to have a think about which, if any, are
worth implementing.
Ultimitely I'm upgrading our site from normal Basic
authentication, which sends username and password
unencrypted anyway, so compared to that the security
upgrade is still a big increase!
Marty
--- Sam Tregar <sam@xxxxxx.xxx> wrote:
> On Mon, 8 Nov 2004, Martin Moss wrote:
>
> > I'm looking into ways of uniquely identifying a
> > computer.
>
> Intel tried to implement this a while back with a
> unique ID in the
> CPU. The public was not ammused. If you do find a
> way, please tell
> us so we can find a workaround.
>
> > What I wish to do is prevent another user copying
> the
> > session cookie, from one computer to another, and
> then
> > gaining access.
>
> You can get close by using a very short session
> timeout, tying the IP
> to the cookie and putting a serial number on each
> form. I believe
> this is what my bank does. Sure, the IP can be
> spoofed or shared, and
> hackers can automate systems to defeat the timeouts
> and serial
> numbers, but it definitely raises the bar. As an
> added bonus, the
> serial numbers also help with the ubiquitous
> catastrophe which is the
> back button.
>
> -sam
>
> --
> Report problems: http://perl.apache.org/bugs/
> Mail list info:
> http://perl.apache.org/maillist/modperl.html
> List etiquette:
> http://perl.apache.org/maillist/email-etiquette.html
>
>
___________________________________________________________ALL-NEW Yahoo! Messenger - all new features - even more fun! http://uk.messenger.yahoo.com
--
Report problems: http://perl.apache.org/bugs/
Mail list info: http://perl.apache.org/maillist/modperl.html
List etiquette: http://perl.apache.org/maillist/email-etiquette.html
