Re: Protecting against Cookie copying
[prev]
[thread]
[next]
[Date index for 2004/11/08]
On Mon, 8 Nov 2004, Martin Moss wrote:
> I'm looking into ways of uniquely identifying a
> computer.
Intel tried to implement this a while back with a unique ID in the
CPU. The public was not ammused. If you do find a way, please tell
us so we can find a workaround.
> What I wish to do is prevent another user copying the
> session cookie, from one computer to another, and then
> gaining access.
You can get close by using a very short session timeout, tying the IP
to the cookie and putting a serial number on each form. I believe
this is what my bank does. Sure, the IP can be spoofed or shared, and
hackers can automate systems to defeat the timeouts and serial
numbers, but it definitely raises the bar. As an added bonus, the
serial numbers also help with the ubiquitous catastrophe which is the
back button.
-sam
--
Report problems: http://perl.apache.org/bugs/
Mail list info: http://perl.apache.org/maillist/modperl.html
List etiquette: http://perl.apache.org/maillist/email-etiquette.html
 |
 |
Re: Protecting against Cookie copying
Sam Tregar 16:27 on 08 Nov 2004
|
