Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



WebApp Sec: Re: Session security with cookies

Re: Session security with cookies

From: Vicente Aguilera <vaguilera_at_isecauditors.com>
Date: Wed, 05 Dec 2007 09:24:53 +0100

Hi,

Jeffory Atkinson wrote:
> Till,
> Here are some factors that you will want to ensure.
> -Session token is delivered after authentication
> -Each session token is unique and not predictable (requiring a strong
> random token generator)
> -Session token is transfer over an encrypted tunnel
> -Session token is marked secure
> -Ensure the session is terminated at logout
> -Ensure the session times out in a reasonable amount of time
> -All access control should be based on the user's session token and only
> the session token

The information to authenticate a user should not rely solely on the
session cookie. In this case it would be vulnerable to CSRF (Cross
Site Request Forgery) attacks. It's necessary to use another token
(URL parameter, hidden form fields, etc.) cryptographically secure
to prevent these attacks.

Regards, 

-- 
_________________________________
Vicente Aguilera Díaz
Director Auditoría
CISA, CISSP, ITIL, CEH Instructor, OPSA, OPST
OWASP Spain Chapter Leader
vaguilera_at_isecauditors.com
PGP: 0x3E74464D - 8D3C B308 4F40 896E 50A8  B66B 80DF 107D 3E74 464D
Internet Security Auditors, S.L.
c. Santander, 101. Edif. A. 2º 1ª.
08030 Barcelona
Tel: +34.933.051.318
Fax: +34.932.782.248
www.isecauditors.com
          ____________________________________
Este mensaje y los documentos que, en su caso lleve anexos, pueden
contener información CONFIDENCIAL. Por ello, se informa al
destinatario que la información contenida en el mismo es reservada y
su uso no autorizado, publicación o difusión, entera o parcialmente,
tanto en formato o medio físico como electrónico, sin el previo
consentimiento de Internet Security Auditors, está prohibida legalmente.
Si ha recibido este correo por error, le rogamos que nos lo
comunique por la misma vía o por teléfono (93 305 13 18), se
abstenga de realizar copias del mensaje o remitirlo o entregarlo a
otra persona y proceda a borrarlo de inmediato.
En cumplimiento de la Ley Orgánica 15/1999 de 13 de diciembre de
protección de datos de carácter personal, Internet Security Auditors
S.L., le informa de que sus datos personales se han incluido en
ficheros informatizados titularidad de Internet Security Auditors
S.L., que será el único destinatario de dichos datos, y cuya
finalidad exclusiva es la gestión de clientes y acciones de
comunicación comercial, y de que tiene la posibilidad de ejercer los
derechos de acceso, rectificación, cancelación y oposición previstos
en la ley mediante carta dirigida a Internet Security Auditors, c.
Santander, 101. Edif. A. 2º 1ª, 08030 Barcelona, o vía e-mail a la
siguiente
dirección de correo: legal_at_isecauditors.com
> 
> -----Original Message-----
> From: listbounce_at_securityfocus.com [mailto:listbounce_at_securityfocus.com]
> On Behalf Of Till Elsner
> Sent: Monday, December 03, 2007 6:32 PM
> To: webappsec_at_securityfocus.com
> Subject: Session security with cookies
> 
> Hi, i'm investigating in web application security this time and i'm  
> trying to find some information about session management with cookies  
> and related security issues. Can anyone point me to tips on how to  
> make cookie based sessions more secure and how to prevent session  
> hijacking? How secure is session handling using cookies and what are  
> the main risks? Is anyone aware of good literature on that topic?
> Thanks and have a nice day
> Till
> 
> ------------------------------------------------------------------------
> -
> Sponsored by: Watchfire 
> Methodologies & Tools for Web Application Security Assessment 
> With the rapid rise in the number and types of security threats, web
> application security assessments should be considered a crucial phase in
> the development of any web application. What methodology should be
> followed? What tools can accelerate the assessment process? Download
> this Whitepaper today! 
> 
> https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
> ------------------------------------------------------------------------
> -
> 
> 
> 
> -------------------------------------------------------------------------
> Sponsored by: Watchfire 
> Methodologies & Tools for Web Application Security Assessment 
> With the rapid rise in the number and types of security threats, web application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this Whitepaper today! 
> 
> https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
> -------------------------------------------------------------------------
> 
> 
-------------------------------------------------------------------------
Sponsored by: Watchfire 
Methodologies & Tools for Web Application Security Assessment 
With the rapid rise in the number and types of security threats, web application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this Whitepaper today! 
https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
-------------------------------------------------------------------------
Received on Dec 05 2007
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos