I think your sessionIDs are spoofable (part=icularly because cart
numbers have a time element in them). =C2=A0If I can see a sessionID in the=
cookie, I can keep passing variations until I get a hit on one with a
response.
Keep in mind we are talking theoretical technical risk of session
hijacking. =C2=A0For a CMS, you are probably OK (only you know the strength=
of your underlying code). =C2=A0The encryption piece is an added layer ofcomplexity that makes it hard to swap sessionIDs in an attack.
Bill
On Tue, Oct 27, 2009 at 4:06 AM, Tom Duke <tom@revolutionaries.ie> wrote:
> Hi guys,
> I do the following for session cookies:
> 1. When a user logs in I create a record in a sessionDB that includes =their
> userID, the time in seconds since epoch, and a unique sessionID using =[cart]
> 2. I set the sessionID as a cookie
> 3. Each site has a default timeout - usually 30mins, each time a user<=br>> refreshes a page I reset the time in the session db
> 4. If the user is inactive for over 30mins then they are kicked out at= the
> next attempt to access a page and the record in the sessionDB is delet=ed
> 5. I run an hourly trigger that deletes any records in the sessionDB w=here
> the time is over 30mins old
> I use this for admin pages on our CMS, so I do not use persistent cook=ies.
> =C2=A0I can't see how encrypting the session cookie improves secur=ity in this
> context.
> Finally one thing I don't do is check the clients IP, I found that= some
> users accessing the net from within large corporations (i.e Microsoft)=
> accessed the site using different IPs even within the same session. ==C2=A0 I
> assume this must be a security feature on the Microsoft end.
> Take care
> - Tom
>
>
>-----------------------------=----------------------------
This message is sent to you because you are subscribed to
the mailing list <talk@webdna.us&g=t;.
To unsubscribe, E-mail to: <talk=-leave@webdna.us>
archives: http://mail.webdna.us/list/talk@webdna.us
old archives: http://dev.webdna.us/TalkListArchive/
Bug Reporting: http://forum.webdna.us/eucabb.html?pa=ge=3Dtopics&category=3D288
I think your sessionIDs are spoofable (part=icularly because cart
numbers have a time element in them). =C2=A0If I can see a sessionID in the=
cookie, I can keep passing variations until I get a hit on one with a
response.
Keep in mind we are talking theoretical technical risk of session
hijacking. =C2=A0For a CMS, you are probably OK (only you know the strength=
of your underlying code). =C2=A0The encryption piece is an added layer ofcomplexity that makes it hard to swap sessionIDs in an attack.
Bill
On Tue, Oct 27, 2009 at 4:06 AM, Tom Duke <tom@revolutionaries.ie> wrote:
> Hi guys,
> I do the following for session cookies:
> 1. When a user logs in I create a record in a sessionDB that includes =their
> userID, the time in seconds since epoch, and a unique sessionID using =[cart]
> 2. I set the sessionID as a cookie
> 3. Each site has a default timeout - usually 30mins, each time a user<=br>> refreshes a page I reset the time in the session db
> 4. If the user is inactive for over 30mins then they are kicked out at= the
> next attempt to access a page and the record in the sessionDB is delet=ed
> 5. I run an hourly trigger that deletes any records in the sessionDB w=here
> the time is over 30mins old
> I use this for admin pages on our CMS, so I do not use persistent cook=ies.
> =C2=A0I can't see how encrypting the session cookie improves secur=ity in this
> context.
> Finally one thing I don't do is check the clients IP, I found that= some
> users accessing the net from within large corporations (i.e Microsoft)=
> accessed the site using different IPs even within the same session. ==C2=A0 I
> assume this must be a security feature on the Microsoft end.
> Take care
> - Tom
>
>
>-----------------------------=----------------------------
This message is sent to you because you are subscribed to
the mailing list <talk@webdna.us&g=t;.
To unsubscribe, E-mail to: <talk=-leave@webdna.us>
archives: http://mail.webdna.us/list/talk@webdna.us
old archives: http://dev.webdna.us/TalkListArchive/
Bug Reporting: http://forum.webdna.us/eucabb.html?pa=ge=3Dtopics&category=3D288
DOWNLOAD WEBDNA NOW!
The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...