numero = 103894
interpreted = N
texte = --001485e6fe3c9a6ac60476ecc410 Content-Type: text/plain; charset=UTF-8 William, Hi - the hacker would have to generate a sessionID - basically generate a duplicate cart - and then keep throwing them at a server hoping to match the legitimate sessionID of a logged in user. I had thought of two users logged in with the same sessionID before but had to stop checking for multiple IPs due On Tue, Oct 27, 2009 at 3:53 PM, William DeVaul wrote: > I think your sessionIDs are spoofable (particularly because cart > numbers have a time element in them). If I can see a sessionID in the > cookie, I can keep passing variations until I get a hit on one with a > response. > > Keep in mind we are talking theoretical technical risk of session > hijacking. For a CMS, you are probably OK (only you know the strength > of your underlying code). The encryption piece is an added layer of > complexity that makes it hard to swap sessionIDs in an attack. > > Bill > > On Tue, Oct 27, 2009 at 4:06 AM, Tom Duke wrote: > > Hi guys, > > I do the following for session cookies: > > 1. When a user logs in I create a record in a sessionDB that includes > their > > userID, the time in seconds since epoch, and a unique sessionID using > [cart] > > 2. I set the sessionID as a cookie > > 3. Each site has a default timeout - usually 30mins, each time a user > > refreshes a page I reset the time in the session db > > 4. If the user is inactive for over 30mins then they are kicked out at > the > > next attempt to access a page and the record in the sessionDB is deleted > > 5. I run an hourly trigger that deletes any records in the sessionDB > where > > the time is over 30mins old > > I use this for admin pages on our CMS, so I do not use persistent > cookies. > > I can't see how encrypting the session cookie improves security in this > > context. > > Finally one thing I don't do is check the clients IP, I found that some > > users accessing the net from within large corporations (i.e Microsoft) > > accessed the site using different IPs even within the same session. I > > assume this must be a security feature on the Microsoft end. > > Take care > > - Tom > > > > > > > --------------------------------------------------------- > This message is sent to you because you are subscribed to > the mailing list . > To unsubscribe, E-mail to: > archives: http://mail.webdna.us/list/talk@webdna.us > old archives: http://dev.webdna.us/TalkListArchive/ > Bug Reporting: http://forum.webdna.us/eucabb.html?page=topics&category=288 > -- ============================================== Digital Revolutionaries Shamrock Chambers 1-2 Eustace Street Temple Bar,Dublin 2 Ireland ---------------------------------------------- [t]: ++ 353 1 440 3907 [f]: ++ 353 1 443 0720 [e]: [w]: ============================================== --001485e6fe3c9a6ac60476ecc410 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable William,
Hi - the hacker would have to generate a sessio= nID - basically generate a duplicate cart - and then keep throwing them at = a server hoping to match the legitimate sessionID of a logged in user.
I had thought of two users logged in with the same sess= ionID before but had to stop checking for multiple IPs due=C2=A0
=
On Tue, Oc= t 27, 2009 at 3:53 PM, William DeVaul <wdevaul@gmail.com> wrote:
I think your sessionIDs are spoofable (part= icularly because cart numbers have a time element in them). =C2=A0If I can see a sessionID in the= cookie, I can keep passing variations until I get a hit on one with a response.
Keep in mind we are talking theoretical technical risk of session hijacking. =C2=A0For a CMS, you are probably OK (only you know the strength= of your underlying code). =C2=A0The encryption piece is an added layer of complexity that makes it hard to swap sessionIDs in an attack.
Bill
On Tue, Oct 27, 2009 at 4:06 AM, Tom Duke <tom@revolutionaries.ie> wrote: > Hi guys, > I do the following for session cookies: > 1. When a user logs in I create a record in a sessionDB that includes = their > userID, the time in seconds since epoch, and a unique sessionID using = [cart] > 2. I set the sessionID as a cookie > 3. Each site has a default timeout - usually 30mins, each time a user<= br> > refreshes a page I reset the time in the session db > 4. If the user is inactive for over 30mins then they are kicked out at= the > next attempt to access a page and the record in the sessionDB is delet= ed > 5. I run an hourly trigger that deletes any records in the sessionDB w= here > the time is over 30mins old > I use this for admin pages on our CMS, so I do not use persistent cook= ies. > =C2=A0I can't see how encrypting the session cookie improves secur= ity in this > context. > Finally one thing I don't do is check the clients IP, I found that= some > users accessing the net from within large corporations (i.e Microsoft)= > accessed the site using different IPs even within the same session. = =C2=A0 I > assume this must be a security feature on the Microsoft end. > Take care > - Tom > > >
--001485e6fe3c9a6ac60476ecc410 Content-Type: text/plain; charset=UTF-8 William, Hi - the hacker would have to generate a sessionID - basically generate a duplicate cart - and then keep throwing them at a server hoping to match the legitimate sessionID of a logged in user. I had thought of two users logged in with the same sessionID before but had to stop checking for multiple IPs due On Tue, Oct 27, 2009 at 3:53 PM, William DeVaul wrote: > I think your sessionIDs are spoofable (particularly because cart > numbers have a time element in them). If I can see a sessionID in the > cookie, I can keep passing variations until I get a hit on one with a > response. > > Keep in mind we are talking theoretical technical risk of session > hijacking. For a CMS, you are probably OK (only you know the strength > of your underlying code). The encryption piece is an added layer of > complexity that makes it hard to swap sessionIDs in an attack. > > Bill > > On Tue, Oct 27, 2009 at 4:06 AM, Tom Duke wrote: > > Hi guys, > > I do the following for session cookies: > > 1. When a user logs in I create a record in a sessionDB that includes > their > > userID, the time in seconds since epoch, and a unique sessionID using > [cart] > > 2. I set the sessionID as a cookie > > 3. Each site has a default timeout - usually 30mins, each time a user > > refreshes a page I reset the time in the session db > > 4. If the user is inactive for over 30mins then they are kicked out at > the > > next attempt to access a page and the record in the sessionDB is deleted > > 5. I run an hourly trigger that deletes any records in the sessionDB > where > > the time is over 30mins old > > I use this for admin pages on our CMS, so I do not use persistent > cookies. > > I can't see how encrypting the session cookie improves security in this > > context. > > Finally one thing I don't do is check the clients IP, I found that some > > users accessing the net from within large corporations (i.e Microsoft) > > accessed the site using different IPs even within the same session. I > > assume this must be a security feature on the Microsoft end. > > Take care > > - Tom > > > > > > > --------------------------------------------------------- > This message is sent to you because you are subscribed to > the mailing list . > To unsubscribe, E-mail to: > archives: http://mail.webdna.us/list/talk@webdna.us > old archives: http://dev.webdna.us/TalkListArchive/ > Bug Reporting: http://forum.webdna.us/eucabb.html?page=topics&category=288 > -- ============================================== Digital Revolutionaries Shamrock Chambers 1-2 Eustace Street Temple Bar,Dublin 2 Ireland ---------------------------------------------- [t]: ++ 353 1 440 3907 [f]: ++ 353 1 443 0720 [e]: [w]: ============================================== --001485e6fe3c9a6ac60476ecc410 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable William,
Hi - the hacker would have to generate a sessio= nID - basically generate a duplicate cart - and then keep throwing them at = a server hoping to match the legitimate sessionID of a logged in user.
I had thought of two users logged in with the same sess= ionID before but had to stop checking for multiple IPs due=C2=A0
=
On Tue, Oc= t 27, 2009 at 3:53 PM, William DeVaul <wdevaul@gmail.com> wrote:
I think your sessionIDs are spoofable (part= icularly because cart numbers have a time element in them). =C2=A0If I can see a sessionID in the= cookie, I can keep passing variations until I get a hit on one with a response.
Keep in mind we are talking theoretical technical risk of session hijacking. =C2=A0For a CMS, you are probably OK (only you know the strength= of your underlying code). =C2=A0The encryption piece is an added layer of complexity that makes it hard to swap sessionIDs in an attack.
Bill
On Tue, Oct 27, 2009 at 4:06 AM, Tom Duke <tom@revolutionaries.ie> wrote: > Hi guys, > I do the following for session cookies: > 1. When a user logs in I create a record in a sessionDB that includes = their > userID, the time in seconds since epoch, and a unique sessionID using = [cart] > 2. I set the sessionID as a cookie > 3. Each site has a default timeout - usually 30mins, each time a user<= br> > refreshes a page I reset the time in the session db > 4. If the user is inactive for over 30mins then they are kicked out at= the > next attempt to access a page and the record in the sessionDB is delet= ed > 5. I run an hourly trigger that deletes any records in the sessionDB w= here > the time is over 30mins old > I use this for admin pages on our CMS, so I do not use persistent cook= ies. > =C2=A0I can't see how encrypting the session cookie improves secur= ity in this > context. > Finally one thing I don't do is check the clients IP, I found that= some > users accessing the net from within large corporations (i.e Microsoft)= > accessed the site using different IPs even within the same session. = =C2=A0 I > assume this must be a security feature on the Microsoft end. > Take care > - Tom > > >
The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...