mailing list archives
Re: Cookie Security
From: Audrius <organzarama () gmail com>
Date: Tue, 29 Apr 2008 16:09:57 +0300
If your application has XSS vulnerabilities, then such method will not
be secure. Using XSS all client side security methods could be
Your described technique could be implemented in more easy way. Every
respone generate a new token, which must be returned back to server on
next request. Place this token into cookies, hidden fields, url,
whatever, but server must get it back on next request. If next request
comes without correct token, then over the session. This method also
will help you avoid CSRF vulnerabilities. On server side you can also
check for users screen resolution, color depth, browser/os/flash/java
version, etc. If any of these changes - over the session. But these
methods will not work if your site will be vulnerable to XSS attack.
As SSL is not currently an option, I am also considering the following:
*Session ID is returned to user by the web application as normal.
*Upon next request, the user encrypts the Session ID using the MD5 hash of their password as the key
*The server attempts to decrypt the string with it's version of the users hash.
*If successful, and the Session ID is still valid, access is granted.
Does this sound feasible? Has anyone seen anything similar implemented?