Home page logo

basics logo Security Basics mailing list archives

Cookie Security
From: ellukicq () icqmail com
Date: 28 Apr 2008 14:17:10 -0000

Hi Everyone,

I have recently analysed a web application and found what I imagine is a common flaw.
As a result, I'm after some advice around cookie security in web applications.

The web application server simply provides the client with a unique session ID cookie to associate authenticated 
The session ID is sufficiently random, however, there appears to be no methods employed to avoid the interception, and 
reuse of this session ID. (i.e cookie/session stealing).
I simply have to sniff the session id cookie, and specify this from another client, and I am signed into the 
application as the associated user.

I would like to propose some actions to improve this mechanism.
I have considered the following two methods which I know to be used elsewhere:

Although the application supports SSL, it does not enforce it. (I have obviously proposed that this is changed).
Session ID limited to IP address. (proxy servers and load balancers will limit the usefulness of this method).

As SSL is not currently an option, I am also considering the following:
        *Session ID is returned to user by the web application as normal.
        *Upon next request, the user encrypts the Session ID using the MD5 hash of their password as the key 
(presumably available to JavaScript. stored as a secure cookie?). This is then posted to the server.
        *The server attempts to decrypt the string with it's version of the users hash.
        *If successful, and the Session ID is still valid, access is granted.
Does this sound feasible? Has anyone seen anything similar implemented?

Additionally, although Session IDs are changed every "x" requests, there is no alert/lockout for Session IDs that 
attempt to be reused inside of the expiry time.
(The key indication of cookie/session stealing).
Access is denied, but no alert is given that eavesdropping may have taken place. I would like to propose the user is 
signed out or alerted and administrators have a log of such events.
Is this a known method of Session ID security?

Could some of you provide your input and experience in securing this form of session management?



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]