<a href="http://g.adspeed.net/ad.php?do=clk&zid=14678&wd=728&ht=90&pair=as" target="_top"><img style="border:0px;" src="http://g.adspeed.net/ad.php?do=img&zid=14678&wd=728&ht=90&pair=as" alt="i" width="728" height="90"/></a>

Nmap Security Scanner

Docs
Security Lists

Full Disclosure

More
Security Tools

Packet crafters

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

edgeos

WebApp Sec: Re: How to protect against cookie stealing?

Re: How to protect against cookie stealing?

From: Chris Green <cmg_at_sourcefire.com>
Date: Fri, 25 Jul 2003 14:10:57 -0400

".:[ Death Star]:." <deathstar_at_optonline.net> writes:
>
> There is another solution, you can use both sessionID's and cookies, so
> based on the IP address you would look for the cookie before giving the
> user access control. The session ID will store 2 fields (example userid
> and associated ip address) the cookie will hold other fields. And u can
> use multiple sessions and multiple cookies that will be destroyed upon
> opening another page.

Has anyone going down this route of incorporating an IP address into
the cookie gotten pushback from people on networks with multiple
proxies or routing rules?

-- 
Chris Green <cmg_at_sourcefire.com>
Don't use a big word where a diminutive one will suffice.

Received on Jul 26 2003

This message: [ Message body ]
Next message: Kevin Spett: "Problems with most web app auth schemes"
Previous message: Ulf Harnhammar: "[ANNOUNCE] kses 0.2.0"
In reply to: .:[ Death Star]:.: "RE: How to protect against cookie stealing?"
Next in thread: Erik Kangas, PhD: "Re: How to protect against cookie stealing?"
Reply: Erik Kangas, PhD: "Re: How to protect against cookie stealing?"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]

edgeos