Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
Re: How to protect against cookie stealing?
From: Erik Kangas, PhD (kangasluxsci.com)
Date: Sat Jul 26 2003 - 09:21:21 CDT
> ".:[ Death Star]:." <deathstaroptonline.net> writes:
> > There is another solution, you can use both sessionID's and cookies, so
> > based on the IP address you would look for the cookie before giving the
> > user access control. The session ID will store 2 fields (example userid
> > and associated ip address) the cookie will hold other fields. And u can
> > use multiple sessions and multiple cookies that will be destroyed upon
> > opening another page.
> Has anyone going down this route of incorporating an IP address into
> the cookie gotten pushback from people on networks with multiple
> proxies or routing rules?
We have never seen a problem with any one person appearing to come from
multiple IP addresses in a single session. You can use another piece of
information which is less unique, but still pretty diverse -- the user agent.
One trick is to make a hash of the user agent string + the cookie time stamp +
some secret key and use this in combination with the session id as a
validator. I.e. you would have 2 cookies (or 1 cookie with 2 parts) -
the session ID and the validation hash. When you get the cookies
back, you validate the existance of the session, that the session has not
timed out, and that it comes from a valid person.
You can still have cookie stealing if the stealer knows your
validation alg. and steals the cookies and spoofs the user agent and any
other variable information that you are using in your validtaion hash. But
then, all of this information be spoofed, including IP addresses.
If you are worried about sessions with multiple IPs, you could mask the IP
and take the first 2 octets, for example. This would not solve the
problem completely, but would mitigate it.
If you are really, really worried, use secure cookies. These can only really
be stolen via direct access to the client machine.
Erik Kangas, Ph.D. --- President of Lux Scientiae, Incorporated
Lux Scientiae: 1-800-441-6612 46 Central Street
FAX: 1-413-332-0598 Somerville, Massachusetts
Cell: 1-617-596-9558 02143, United States of America
AOL Messenger: "luxsci"
kangasluxsci.com --- http://luxsci.com