Re: [WebDNA] Secure Cookies

This WebDNA talk-list message is from

2009


It keeps the original formatting.
numero = 103894
interpreted = N
texte = --001485e6fe3c9a6ac60476ecc410 Content-Type: text/plain; charset=UTF-8 William, Hi - the hacker would have to generate a sessionID - basically generate a duplicate cart - and then keep throwing them at a server hoping to match the legitimate sessionID of a logged in user. I had thought of two users logged in with the same sessionID before but had to stop checking for multiple IPs due On Tue, Oct 27, 2009 at 3:53 PM, William DeVaul wrote: > I think your sessionIDs are spoofable (particularly because cart > numbers have a time element in them). If I can see a sessionID in the > cookie, I can keep passing variations until I get a hit on one with a > response. > > Keep in mind we are talking theoretical technical risk of session > hijacking. For a CMS, you are probably OK (only you know the strength > of your underlying code). The encryption piece is an added layer of > complexity that makes it hard to swap sessionIDs in an attack. > > Bill > > On Tue, Oct 27, 2009 at 4:06 AM, Tom Duke wrote: > > Hi guys, > > I do the following for session cookies: > > 1. When a user logs in I create a record in a sessionDB that includes > their > > userID, the time in seconds since epoch, and a unique sessionID using > [cart] > > 2. I set the sessionID as a cookie > > 3. Each site has a default timeout - usually 30mins, each time a user > > refreshes a page I reset the time in the session db > > 4. If the user is inactive for over 30mins then they are kicked out at > the > > next attempt to access a page and the record in the sessionDB is deleted > > 5. I run an hourly trigger that deletes any records in the sessionDB > where > > the time is over 30mins old > > I use this for admin pages on our CMS, so I do not use persistent > cookies. > > I can't see how encrypting the session cookie improves security in this > > context. > > Finally one thing I don't do is check the clients IP, I found that some > > users accessing the net from within large corporations (i.e Microsoft) > > accessed the site using different IPs even within the same session. I > > assume this must be a security feature on the Microsoft end. > > Take care > > - Tom > > > > > > > --------------------------------------------------------- > This message is sent to you because you are subscribed to > the mailing list . > To unsubscribe, E-mail to: > archives: http://mail.webdna.us/list/talk@webdna.us > old archives: http://dev.webdna.us/TalkListArchive/ > Bug Reporting: http://forum.webdna.us/eucabb.html?page=topics&category=288 > -- ============================================== Digital Revolutionaries Shamrock Chambers 1-2 Eustace Street Temple Bar,Dublin 2 Ireland ---------------------------------------------- [t]: ++ 353 1 440 3907 [f]: ++ 353 1 443 0720 [e]: [w]: ============================================== --001485e6fe3c9a6ac60476ecc410 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable William,

Hi - the hacker would have to generate a sessio= nID - basically generate a duplicate cart - and then keep throwing them at = a server hoping to match the legitimate sessionID of a logged in user.

I had thought of two users logged in with the same sess= ionID before but had to stop checking for multiple IPs due=C2=A0
=



On Tue, Oc= t 27, 2009 at 3:53 PM, William DeVaul <wdevaul@gmail.com> wrote:
I think your sessionIDs are spoofable (part= icularly because cart
numbers have a time element in them). =C2=A0If I can see a sessionID in the=
cookie, I can keep passing variations until I get a hit on one with a
response.

Keep in mind we are talking theoretical technical risk of session
hijacking. =C2=A0For a CMS, you are probably OK (only you know the strength=
of your underlying code). =C2=A0The encryption piece is an added layer of complexity that makes it hard to swap sessionIDs in an attack.

Bill

On Tue, Oct 27, 2009 at 4:06 AM, Tom Duke <tom@revolutionaries.ie> wrote:
> Hi guys,
> I do the following for session cookies:
> 1. When a user logs in I create a record in a sessionDB that includes = their
> userID, the time in seconds since epoch, and a unique sessionID using = [cart]
> 2. I set the sessionID as a cookie
> 3. Each site has a default timeout - usually 30mins, each time a user<= br> > refreshes a page I reset the time in the session db
> 4. If the user is inactive for over 30mins then they are kicked out at= the
> next attempt to access a page and the record in the sessionDB is delet= ed
> 5. I run an hourly trigger that deletes any records in the sessionDB w= here
> the time is over 30mins old
> I use this for admin pages on our CMS, so I do not use persistent cook= ies.
> =C2=A0I can't see how encrypting the session cookie improves secur= ity in this
> context.
> Finally one thing I don't do is check the clients IP, I found that= some
> users accessing the net from within large corporations (i.e Microsoft)=
> accessed the site using different IPs even within the same session. = =C2=A0 I
> assume this must be a security feature on the Microsoft end.
> Take care
> - Tom
>
>
>
-----------------------------= ----------------------------
This message is sent to you because you are subscribed to
the mailing list <talk@webdna.us&g= t;.
To unsubscribe, E-mail to: <talk= -leave@webdna.us>
archives: http://mail.webdna.us/list/talk@webdna.us
old archives: http://dev.webdna.us/TalkListArchive/
Bug Reporting: http://forum.webdna.us/eucabb.html?pa= ge=3Dtopics&category=3D288



--
=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Digital Revolutio= naries
Shamrock Chambers
1-2 Eustace Street
Temple Bar,Dublin 2Ireland
----------------------------------------------
[t]: ++ 353 1 440 3907
[f]: ++ 353 1 443 0720
[e]: <mailto:tom@revolutionaries.ie>
[w]: &= lt;http://www.revolutionaries.ie= />
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
--001485e6fe3c9a6ac60476ecc410-- Associated Messages, from the most recent to the oldest:

    
  1. RE: [WebDNA] Secure Cookies ("Scott @ Itsula" 2020)
  2. Re: [WebDNA] Secure Cookies (christophe.billiottet@webdna.us 2020)
  3. Re: [WebDNA] Secure Cookies (Stuart Tremain 2020)
  4. Re: [WebDNA] Secure Cookies (Brian Harrington 2020)
  5. Re: [WebDNA] Secure Cookies (Stuart Tremain 2020)
  6. RE: [WebDNA] Secure Cookies ("Scott @ Itsula" 2020)
  7. Re: [WebDNA] Secure Cookies (Tom Duke 2020)
  8. RE: [WebDNA] Secure Cookies ("Scott @ Itsula" 2020)
  9. Re: [WebDNA] Secure Cookies (Tom Duke 2020)
  10. Re: [WebDNA] Secure Cookies (christophe.billiottet@webdna.us 2020)
  11. Re: [WebDNA] Secure Cookies (Stuart Tremain 2020)
  12. Re: [WebDNA] Secure Cookies (christophe.billiottet@webdna.us 2020)
  13. Re: [WebDNA] Secure Cookies (Stuart Tremain 2020)
  14. Re: [WebDNA] Secure Cookies (Tom Duke 2020)
  15. RE: [WebDNA] Secure Cookies ("Scott @ Itsula" 2020)
  16. [WebDNA] Secure Cookies - Further reading (Stuart Tremain 2020)
  17. [WebDNA] Secure Cookies (Stuart Tremain 2020)
  18. Re: [WebDNA] Secure cookies (HttpOnly/Secure) ("Dan Strong" 2013)
  19. Re: [WebDNA] Secure cookies (HttpOnly/Secure) (Tom Duke 2013)
  20. Re: [WebDNA] Secure cookies (HttpOnly/Secure) (WebDNA 2013)
  21. [WebDNA] Secure cookies (HttpOnly/Secure) ("Dan Strong" 2013)
  22. Re: [WebDNA] Secure Cookies (Tom Duke 2009)
  23. Re: [WebDNA] Secure Cookies (Tom Duke 2009)
  24. Re: [WebDNA] Secure Cookies (William DeVaul 2009)
  25. Re: [WebDNA] Secure Cookies (Tom Duke 2009)
  26. Re: [WebDNA] Secure Cookies (Frank Nordberg 2009)
  27. Re: [WebDNA] Secure Cookies (Govinda 2009)
  28. Re: [WebDNA] Secure Cookies ("Terry Wilson" 2009)
  29. Re: [WebDNA] Secure Cookies (William DeVaul 2009)
  30. Re: [WebDNA] Secure Cookies (William DeVaul 2009)
  31. Re: [WebDNA] Secure Cookies (Stuart Tremain 2009)
  32. Re: [WebDNA] Secure Cookies (Donovan Brooke 2009)
  33. Re: [WebDNA] Secure Cookies (Stuart Tremain 2009)
  34. Re: [WebDNA] Secure Cookies ("Terry Wilson" 2009)
  35. Re: [WebDNA] Secure Cookies (Stuart Tremain 2009)
  36. Re: [WebDNA] Secure Cookies (William DeVaul 2009)
  37. [WebDNA] Secure Cookies (Stuart Tremain 2009)
--001485e6fe3c9a6ac60476ecc410 Content-Type: text/plain; charset=UTF-8 William, Hi - the hacker would have to generate a sessionID - basically generate a duplicate cart - and then keep throwing them at a server hoping to match the legitimate sessionID of a logged in user. I had thought of two users logged in with the same sessionID before but had to stop checking for multiple IPs due On Tue, Oct 27, 2009 at 3:53 PM, William DeVaul wrote: > I think your sessionIDs are spoofable (particularly because cart > numbers have a time element in them). If I can see a sessionID in the > cookie, I can keep passing variations until I get a hit on one with a > response. > > Keep in mind we are talking theoretical technical risk of session > hijacking. For a CMS, you are probably OK (only you know the strength > of your underlying code). The encryption piece is an added layer of > complexity that makes it hard to swap sessionIDs in an attack. > > Bill > > On Tue, Oct 27, 2009 at 4:06 AM, Tom Duke wrote: > > Hi guys, > > I do the following for session cookies: > > 1. When a user logs in I create a record in a sessionDB that includes > their > > userID, the time in seconds since epoch, and a unique sessionID using > [cart] > > 2. I set the sessionID as a cookie > > 3. Each site has a default timeout - usually 30mins, each time a user > > refreshes a page I reset the time in the session db > > 4. If the user is inactive for over 30mins then they are kicked out at > the > > next attempt to access a page and the record in the sessionDB is deleted > > 5. I run an hourly trigger that deletes any records in the sessionDB > where > > the time is over 30mins old > > I use this for admin pages on our CMS, so I do not use persistent > cookies. > > I can't see how encrypting the session cookie improves security in this > > context. > > Finally one thing I don't do is check the clients IP, I found that some > > users accessing the net from within large corporations (i.e Microsoft) > > accessed the site using different IPs even within the same session. I > > assume this must be a security feature on the Microsoft end. > > Take care > > - Tom > > > > > > > --------------------------------------------------------- > This message is sent to you because you are subscribed to > the mailing list . > To unsubscribe, E-mail to: > archives: http://mail.webdna.us/list/talk@webdna.us > old archives: http://dev.webdna.us/TalkListArchive/ > Bug Reporting: http://forum.webdna.us/eucabb.html?page=topics&category=288 > -- ============================================== Digital Revolutionaries Shamrock Chambers 1-2 Eustace Street Temple Bar,Dublin 2 Ireland ---------------------------------------------- [t]: ++ 353 1 440 3907 [f]: ++ 353 1 443 0720 [e]: [w]: ============================================== --001485e6fe3c9a6ac60476ecc410 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable William,

Hi - the hacker would have to generate a sessio= nID - basically generate a duplicate cart - and then keep throwing them at = a server hoping to match the legitimate sessionID of a logged in user.

I had thought of two users logged in with the same sess= ionID before but had to stop checking for multiple IPs due=C2=A0
=



On Tue, Oc= t 27, 2009 at 3:53 PM, William DeVaul <wdevaul@gmail.com> wrote:
I think your sessionIDs are spoofable (part= icularly because cart
numbers have a time element in them). =C2=A0If I can see a sessionID in the=
cookie, I can keep passing variations until I get a hit on one with a
response.

Keep in mind we are talking theoretical technical risk of session
hijacking. =C2=A0For a CMS, you are probably OK (only you know the strength=
of your underlying code). =C2=A0The encryption piece is an added layer of complexity that makes it hard to swap sessionIDs in an attack.

Bill

On Tue, Oct 27, 2009 at 4:06 AM, Tom Duke <tom@revolutionaries.ie> wrote:
> Hi guys,
> I do the following for session cookies:
> 1. When a user logs in I create a record in a sessionDB that includes = their
> userID, the time in seconds since epoch, and a unique sessionID using = [cart]
> 2. I set the sessionID as a cookie
> 3. Each site has a default timeout - usually 30mins, each time a user<= br> > refreshes a page I reset the time in the session db
> 4. If the user is inactive for over 30mins then they are kicked out at= the
> next attempt to access a page and the record in the sessionDB is delet= ed
> 5. I run an hourly trigger that deletes any records in the sessionDB w= here
> the time is over 30mins old
> I use this for admin pages on our CMS, so I do not use persistent cook= ies.
> =C2=A0I can't see how encrypting the session cookie improves secur= ity in this
> context.
> Finally one thing I don't do is check the clients IP, I found that= some
> users accessing the net from within large corporations (i.e Microsoft)=
> accessed the site using different IPs even within the same session. = =C2=A0 I
> assume this must be a security feature on the Microsoft end.
> Take care
> - Tom
>
>
>
-----------------------------= ----------------------------
This message is sent to you because you are subscribed to
the mailing list <talk@webdna.us&g= t;.
To unsubscribe, E-mail to: <talk= -leave@webdna.us>
archives: http://mail.webdna.us/list/talk@webdna.us
old archives: http://dev.webdna.us/TalkListArchive/
Bug Reporting: http://forum.webdna.us/eucabb.html?pa= ge=3Dtopics&category=3D288



--
=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Digital Revolutio= naries
Shamrock Chambers
1-2 Eustace Street
Temple Bar,Dublin 2Ireland
----------------------------------------------
[t]: ++ 353 1 440 3907
[f]: ++ 353 1 443 0720
[e]: <mailto:tom@revolutionaries.ie>
[w]: &= lt;http://www.revolutionaries.ie= />
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
--001485e6fe3c9a6ac60476ecc410-- Tom Duke

DOWNLOAD WEBDNA NOW!

Top Articles:

Talk List

The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...

Related Readings:

error -43 (1998) OT: JavaScript Question (well... Using WebCat with it too) (2001) WebTen? (1997) WebCat2 Append problem (B14Macacgi) (1997) formatting a number (1999) Stumpted Again (1997) Math Problem - Format? (1997) [BULK] [WebDNA] [BULK] [middle] behavior (2020) WebStar Directory Indexer (was:hidden databases) (2000) thisurl & arguments (2000) Redirect (2000) [LOOKUP] (1997) Setting up shop (1997) Globals Problem and now can't close databases (2003) off topic - dna snipets (1997) PSC recommends what date format yr 2000??? (1997) nearly Blank Forms (2005) sorting dates (1999) 2.0 Info (1997) rn (range) (2003)