Re: [WebDNA] Secure Cookies
This WebDNA talk-list message is from 2009
It keeps the original formatting.
numero = 103892
interpreted = N
texte = I think your sessionIDs are spoofable (particularly because cartnumbers have a time element in them). If I can see a sessionID in thecookie, I can keep passing variations until I get a hit on one with aresponse.Keep in mind we are talking theoretical technical risk of sessionhijacking. For a CMS, you are probably OK (only you know the strengthof your underlying code). The encryption piece is an added layer ofcomplexity that makes it hard to swap sessionIDs in an attack.BillOn Tue, Oct 27, 2009 at 4:06 AM, Tom Duke
wrote:> Hi guys,> I do the following for session cookies:> 1. When a user logs in I create a record in a sessionDB that includes the=ir> userID, the time in seconds since epoch, and a unique sessionID using [ca=rt]> 2. I set the sessionID as a cookie> 3. Each site has a default timeout - usually 30mins, each time a user> refreshes a page I reset the time in the session db> 4. If the user is inactive for over 30mins then they are kicked out at th=e> next attempt to access a page and the record in the sessionDB is deleted> 5. I run an hourly trigger that deletes any records in the sessionDB wher=e> the time is over 30mins old> I use this for admin pages on our CMS, so I do not use persistent cookies=.> =A0I can't see how encrypting the session cookie improves security in thi=s> context.> Finally one thing I don't do is check the clients IP, I found that some> users accessing the net from within large corporations (i.e Microsoft)> accessed the site using different IPs even within the same session. =A0 I> assume this must be a security feature on the Microsoft end.> Take care> - Tom>>>
Associated Messages, from the most recent to the oldest:
I think your sessionIDs are spoofable (particularly because cartnumbers have a time element in them). If I can see a sessionID in thecookie, I can keep passing variations until I get a hit on one with aresponse.Keep in mind we are talking theoretical technical risk of sessionhijacking. For a CMS, you are probably OK (only you know the strengthof your underlying code). The encryption piece is an added layer ofcomplexity that makes it hard to swap sessionIDs in an attack.BillOn Tue, Oct 27, 2009 at 4:06 AM, Tom Duke wrote:> Hi guys,> I do the following for session cookies:> 1. When a user logs in I create a record in a sessionDB that includes the=ir> userID, the time in seconds since epoch, and a unique sessionID using [ca=rt]> 2. I set the sessionID as a cookie> 3. Each site has a default timeout - usually 30mins, each time a user> refreshes a page I reset the time in the session db> 4. If the user is inactive for over 30mins then they are kicked out at th=e> next attempt to access a page and the record in the sessionDB is deleted> 5. I run an hourly trigger that deletes any records in the sessionDB wher=e> the time is over 30mins old> I use this for admin pages on our CMS, so I do not use persistent cookies=.> =A0I can't see how encrypting the session cookie improves security in thi=s> context.> Finally one thing I don't do is check the clients IP, I found that some> users accessing the net from within large corporations (i.e Microsoft)> accessed the site using different IPs even within the same session. =A0 I> assume this must be a security feature on the Microsoft end.> Take care> - Tom>>>
William DeVaul
DOWNLOAD WEBDNA NOW!
Top Articles:
Talk List
The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...
Related Readings:
[IPAddress] and AutoProxy (1998)
WebCatalog sales (1997)
WebCat2: Items xx to xx shown, etc. (1997)
note re newbie ? re ssl and non-ssl site parts (1999)
Press Release hit the NewsWire!!! (1997)
help needed w/ search params (1998)
How would I? (2000)
Re[2]: Next X hits (1996)
Cookie Newbie (2002)
WebCat2: Found Items syntax, etc. (1997)
WCS Newbie question (1997)
[BoldWords] WebCat.acgib15Mac (1997)
Week # problem (1998)
Calculating Standard Deviation (2005)
WebCommerce: Folder organization ? (1997)
To use GREP to boldface text (2003)
Webcat/Webmerchant part II (1998)
Progress !! WAS: Trouble with formula.db (1997)
Using Cookie for client specific info? (1997)
Nested tags count question (1997)