Home page logo

basics logo Security Basics mailing list archives

Re: Cookie Security
From: Audrius <organzarama () gmail com>
Date: Wed, 30 Apr 2008 12:08:53 +0300

This limitation is already done.

From the first post:
-> Session ID limited to IP address. (proxy servers and load balancers
will limit the usefulness of this method).

2008/4/29 Red Davies <red () criticalintegration com>:

 > I simply have to sniff the session id cookie, and specify this from another client, and I am signed into the 
application as the associated user.

 It is a very simple attack vector.  One that I've used successfully in
 a pen-test.

 One simple method which would make its use even harder would be to
 encode the clients IP address in the token.  Then you can perform some
 simple algorithm on your server to check if your remote client's IP
 matches that which is encoded in your token.

 If not, you know you it's stolen.



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]