Re: [WebDNA] Secure Cookies

This WebDNA talk-list message is from

2009


It keeps the original formatting.
numero = 103892
interpreted = N
texte = I think your sessionIDs are spoofable (particularly because cart numbers have a time element in them). If I can see a sessionID in the cookie, I can keep passing variations until I get a hit on one with a response. Keep in mind we are talking theoretical technical risk of session hijacking. For a CMS, you are probably OK (only you know the strength of your underlying code). The encryption piece is an added layer of complexity that makes it hard to swap sessionIDs in an attack. Bill On Tue, Oct 27, 2009 at 4:06 AM, Tom Duke wrote: > Hi guys, > I do the following for session cookies: > 1. When a user logs in I create a record in a sessionDB that includes the= ir > userID, the time in seconds since epoch, and a unique sessionID using [ca= rt] > 2. I set the sessionID as a cookie > 3. Each site has a default timeout - usually 30mins, each time a user > refreshes a page I reset the time in the session db > 4. If the user is inactive for over 30mins then they are kicked out at th= e > next attempt to access a page and the record in the sessionDB is deleted > 5. I run an hourly trigger that deletes any records in the sessionDB wher= e > the time is over 30mins old > I use this for admin pages on our CMS, so I do not use persistent cookies= . > =A0I can't see how encrypting the session cookie improves security in thi= s > context. > Finally one thing I don't do is check the clients IP, I found that some > users accessing the net from within large corporations (i.e Microsoft) > accessed the site using different IPs even within the same session. =A0 I > assume this must be a security feature on the Microsoft end. > Take care > - Tom > > > Associated Messages, from the most recent to the oldest:

    
  1. RE: [WebDNA] Secure Cookies ("Scott @ Itsula" 2020)
  2. Re: [WebDNA] Secure Cookies (christophe.billiottet@webdna.us 2020)
  3. Re: [WebDNA] Secure Cookies (Stuart Tremain 2020)
  4. Re: [WebDNA] Secure Cookies (Brian Harrington 2020)
  5. Re: [WebDNA] Secure Cookies (Stuart Tremain 2020)
  6. RE: [WebDNA] Secure Cookies ("Scott @ Itsula" 2020)
  7. Re: [WebDNA] Secure Cookies (Tom Duke 2020)
  8. RE: [WebDNA] Secure Cookies ("Scott @ Itsula" 2020)
  9. Re: [WebDNA] Secure Cookies (Tom Duke 2020)
  10. Re: [WebDNA] Secure Cookies (christophe.billiottet@webdna.us 2020)
  11. Re: [WebDNA] Secure Cookies (Stuart Tremain 2020)
  12. Re: [WebDNA] Secure Cookies (christophe.billiottet@webdna.us 2020)
  13. Re: [WebDNA] Secure Cookies (Stuart Tremain 2020)
  14. Re: [WebDNA] Secure Cookies (Tom Duke 2020)
  15. RE: [WebDNA] Secure Cookies ("Scott @ Itsula" 2020)
  16. [WebDNA] Secure Cookies - Further reading (Stuart Tremain 2020)
  17. [WebDNA] Secure Cookies (Stuart Tremain 2020)
  18. Re: [WebDNA] Secure cookies (HttpOnly/Secure) ("Dan Strong" 2013)
  19. Re: [WebDNA] Secure cookies (HttpOnly/Secure) (Tom Duke 2013)
  20. Re: [WebDNA] Secure cookies (HttpOnly/Secure) (WebDNA 2013)
  21. [WebDNA] Secure cookies (HttpOnly/Secure) ("Dan Strong" 2013)
  22. Re: [WebDNA] Secure Cookies (Tom Duke 2009)
  23. Re: [WebDNA] Secure Cookies (Tom Duke 2009)
  24. Re: [WebDNA] Secure Cookies (William DeVaul 2009)
  25. Re: [WebDNA] Secure Cookies (Tom Duke 2009)
  26. Re: [WebDNA] Secure Cookies (Frank Nordberg 2009)
  27. Re: [WebDNA] Secure Cookies (Govinda 2009)
  28. Re: [WebDNA] Secure Cookies ("Terry Wilson" 2009)
  29. Re: [WebDNA] Secure Cookies (William DeVaul 2009)
  30. Re: [WebDNA] Secure Cookies (William DeVaul 2009)
  31. Re: [WebDNA] Secure Cookies (Stuart Tremain 2009)
  32. Re: [WebDNA] Secure Cookies (Donovan Brooke 2009)
  33. Re: [WebDNA] Secure Cookies (Stuart Tremain 2009)
  34. Re: [WebDNA] Secure Cookies ("Terry Wilson" 2009)
  35. Re: [WebDNA] Secure Cookies (Stuart Tremain 2009)
  36. Re: [WebDNA] Secure Cookies (William DeVaul 2009)
  37. [WebDNA] Secure Cookies (Stuart Tremain 2009)
I think your sessionIDs are spoofable (particularly because cart numbers have a time element in them). If I can see a sessionID in the cookie, I can keep passing variations until I get a hit on one with a response. Keep in mind we are talking theoretical technical risk of session hijacking. For a CMS, you are probably OK (only you know the strength of your underlying code). The encryption piece is an added layer of complexity that makes it hard to swap sessionIDs in an attack. Bill On Tue, Oct 27, 2009 at 4:06 AM, Tom Duke wrote: > Hi guys, > I do the following for session cookies: > 1. When a user logs in I create a record in a sessionDB that includes the= ir > userID, the time in seconds since epoch, and a unique sessionID using [ca= rt] > 2. I set the sessionID as a cookie > 3. Each site has a default timeout - usually 30mins, each time a user > refreshes a page I reset the time in the session db > 4. If the user is inactive for over 30mins then they are kicked out at th= e > next attempt to access a page and the record in the sessionDB is deleted > 5. I run an hourly trigger that deletes any records in the sessionDB wher= e > the time is over 30mins old > I use this for admin pages on our CMS, so I do not use persistent cookies= . > =A0I can't see how encrypting the session cookie improves security in thi= s > context. > Finally one thing I don't do is check the clients IP, I found that some > users accessing the net from within large corporations (i.e Microsoft) > accessed the site using different IPs even within the same session. =A0 I > assume this must be a security feature on the Microsoft end. > Take care > - Tom > > > William DeVaul

DOWNLOAD WEBDNA NOW!

Top Articles:

Talk List

The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...

Related Readings:

[IPAddress] and AutoProxy (1998) WebCatalog sales (1997) WebCat2: Items xx to xx shown, etc. (1997) note re newbie ? re ssl and non-ssl site parts (1999) Press Release hit the NewsWire!!! (1997) help needed w/ search params (1998) How would I? (2000) Re[2]: Next X hits (1996) Cookie Newbie (2002) WebCat2: Found Items syntax, etc. (1997) WCS Newbie question (1997) [BoldWords] WebCat.acgib15Mac (1997) Week # problem (1998) Calculating Standard Deviation (2005) WebCommerce: Folder organization ? (1997) To use GREP to boldface text (2003) Webcat/Webmerchant part II (1998) Progress !! WAS: Trouble with formula.db (1997) Using Cookie for client specific info? (1997) Nested tags count question (1997)