mailing list archives
Re: Cookie Security
From: "Red Davies" <red () criticalintegration com>
Date: Tue, 29 Apr 2008 13:55:41 -0400
I simply have to sniff the session id cookie, and specify this from another client, and I am signed into the
application as the associated user.
It is a very simple attack vector. One that I've used successfully in
One simple method which would make its use even harder would be to
encode the clients IP address in the token. Then you can perform some
simple algorithm on your server to check if your remote client's IP
matches that which is encoded in your token.
If not, you know you it's stolen.