Are there any web application frameworks that implement per
action/screen session cookies? Java or perl libraries to help with
this seemingly complex task? I can imagine a case where a click back
might give you some grief...
Thanks,
Ken A.
Mark Reardon wrote:
> 2. Any static cookie is subject to being stolen. What the government
> used to require of internet banks (1995 and 1996) was that cookies
> had to change on a per screen (or action) basis. If the wrong cookie
> was received the session was logged out.
>
> I believe we used a random number that was then encrypted. The key
> that was derived from a hash of bits such as the host portion of the
> browser's network socket and the browser's identifying HTTP string.
> Thus, each session had potentially a different key value that was
> recoverable from the information available to a CGI.
>
> Since each screen had a different random value, the combination
> caused hard crack attempts to be too time consuming and frankly,
> difficult, to be of value. We also had a short timeout so an idle
> browser only had so much exposure. It wasn't perfect but it closed
> things down a bit.
>
> We stored the random value in our backend database. The advanage of
> this is that the web servers could fail over (causing an SSL session
> renegotiation) and the banking session would not die. However, if the
> browser were to fail over or change IP address, we would have logged
> the user out of their session due to a bad cookie.
>
>
>
> Mark
>
> ---- Mark Reardon Reardon Information Security Corporation (404)
> 444-0041
>
>
Received on Jul 24 2003
Intro
