Re: Protecting against Cookie copying
[prev]
[thread]
[next]
[Date index for 2004/11/08]
Disclaimer: the following is all "to the best of my knowledge".
Take it for what it's worth.
On 8-Nov-04, at 9:27 AM, Martin Moss wrote:
> so therefore I wonder if I can use this,
> e.g. map my session_id to a UUID, and then when I
> check the session is valid I crosscheck this, however
> I'm not sure if I can get the UUID over a non-SSL
> connection.
Assuming you're talking about the SSL session-id, that
is only available over an SSL connection. Even with SSL
connections, there is actually nothing stopping the
client from opening more than one SSL connection and
therefore having more than one SSL connection-id.
So that seems to me like a dead end.
> I'm sure I'm not the first person to want to uniquely
> identify a computer that comes to my site, without
> blindly trusting cookies, but I'm at a loss of how to
> find anything better than ipaddress to session cookie
> mapping. (which is kinda pointless for Natted
> addresses I know).
It is very hard to trust anything that comes in over
a non-ssl connection. If you are concerned about security,
I'd recommend using ssl consistently throughout the
session. This will at least deal with the case where
cookies are stolen by monitoring the connection (assuming
you've taken adequate care to avoid man-in-the-middle
attacks).
Stealing a session cookie from the client's cookie jar is
harder to protect against. On the other hand, it is perhaps
not so easy to do. One might think that a security-conscious
browser would not commit session cookies to disk, but I
don't know which (if any) browsers do this (and in any event,
it may be possible to snatch them out of memory, or through
some XSS hack.)
All the same, session cookies with SSL are a reasonably secure
mechanism; "good enough" unless you are running a site which
requires a very high degree of security. In the latter case,
you probably want to investigate client SSL certificates and/or
other high-grade security solutions.
--
Report problems: http://perl.apache.org/bugs/
Mail list info: http://perl.apache.org/maillist/modperl.html
List etiquette: http://perl.apache.org/maillist/email-etiquette.html
 |
 |
Re: Protecting against Cookie copying
Rici Lake 15:23 on 08 Nov 2004
|
