Protecting against Cookie copying

[prev] [thread] [next] [Date index for 2004/11/08]

All,

I'm looking into ways of uniquely identifying a
computer. I've been reading around the web looking at
different mechanisms, and so far I've drawn a fuzzy
blank. Currently, I want to use SSL to let a user sign
in and then I return a session cookie, which I then
use to confirm the user is logged in when they come to
non-ssl pages. 

What I wish to do is prevent another user copying the
session cookie, from one computer to another, and then
gaining access. Originally I wondered if I could get
at the mac address of the connection, but that seems
to be a dead end. After a little further reading It
seems that there is a UUID generated at the handshake?
stage of SSL, so therefore I wonder if I can use this,
e.g. map my session_id to a UUID, and then when I
check the session is valid I crosscheck this, however
I'm not sure if I can get the UUID over a non-SSL
connection. 

I'm sure I'm not the first person to want to uniquely
identify a computer that comes to my site, without
blindly trusting cookies, but I'm at a loss of how to
find anything better than ipaddress to session cookie
mapping. (which is kinda pointless for Natted
addresses I know).

Does anybody have any ideas, pointers...?

Regards

Marty




	
	
		
___________________________________________________________ALL-NEW Yahoo! Messenger - all new features - even more fun! http://uk.messenger.yahoo.com

        -- 
        Report problems: http://perl.apache.org/bugs/
Mail list info: http://perl.apache.org/maillist/modperl.html
List etiquette: http://perl.apache.org/maillist/email-etiquette.html