Vulnerability Development: Re: Cookies

[Slawek <sgp () TELSATGP COM PL>]

Tuesday, August 08, 2000 11:28 PM +0200, Denis Ducamp wrote:
> On Tue, Aug 08, 2000 at 02:23:17PM -0400, Kev wrote:
> > In one Web-accessible application I wrote, I did indeed put the
authentication
> > information in a cookie, but I also put an MD5 hash of the contents of
the
> > cookie appended to a secret that I placed in a configuration file, to
prevent
> > this very security problem.  I'm curious, though, if anyone can point out
> > any problems with this approach?
> Do you verify that :
> <snip>
> . a cookie generated for an IP A can't be used by an IP B ?
>   Difficulty : if the user is behind a proxy that doesn't give the client
IP
>   then another client behind that proxy may use that cookie.
>   Other data as client software and version may be part of verified data.

oops,

afair some large ip-masquerading systems does use multiple IPs for
masquerading. It may lead to requests from one user coming from more than
one IP.

some http proxies may use similar technique.


just my $.02,
Slawek