Penetration Testing mailing list archives
Re: [PEN-TEST] HTTP Secure Session State Management
From: Robert van der Meulen <rvdm () CISTRON NL>
Date: Wed, 27 Dec 2000 16:51:40 +0100
Quoting Bill Reamy (bill () staffnet com):
The latest version of iMail, from Ipswitch solves this problem (somewhat) by associating identity with both a session id in the url, _and_ the user's IP address. Both must match before the next page loads.
Does it use a 'forwarded-for' header, if there is one ? (I don't recall the exact headername, but most proxies use a seperate header to indicate the _real_ IP address, in stead of the proxy address. In both cases this is a problem: a) proxy doesn't set 'forwarded-for' header This means everyone behind the same proxy can take over the session, if they have the session ID. b) proxy does set 'forwarded-for' This means anyone _without_ a proxy can forge the forwarded-for header in their request. Both methods are not secure. If one were to use a combination of proxy- and forwarded-for headers, it would be _more_ secure, but still not enough.
If you are designing a web system that requires authentication, why not use HTTP Authentication? It's not perfect, but at least the browser was designed to not give this info up easily.
Only if you use SSL - without SSL the username and password information will
be passed with _any_ request (even for images!), in cleartext. This is the
webserver's idea of session management, and to my opinion it's even worse
than URL-embedded session id's :)
As a poster earlier in the thread mentioned; The best way is hashing
username, password, (both) ip addresses, and a date/time value together, and
using this as the basis of a (regularly reaped, and always unique - use
unixtime) file or database entry, containing session parameters.
(Have the file reaped _regularly_, and have a re-login mechanism in place,
as you will run into 'cybercafe-problems' - stupid users that don't log out
but just close their browser after they 'checked their mail' in a public
place - and the next user who sits down and re-connects to the session
trough the browser's history)
Greets,
Robert
--
| rvdm () cistron nl - Cistron Internet Services - www.cistron.nl |
| php3/c/perl/html/c++/sed/awk/linux/sql/cgi/security |
| My statements are mine, and not necessarily cistron's. |
"Cleveland? Yes, I spent a week there one day."
Current thread:
- Re: [PEN-TEST] HTTP Secure Session State Management, (continued)
- Re: [PEN-TEST] HTTP Secure Session State Management van der Kooij, Hugo (Dec 27)
- Re: [PEN-TEST] HTTP Secure Session State Management Drew Simonis (Dec 23)
- Re: [PEN-TEST] HTTP Secure Session State Management Robert van der Meulen (Dec 23)
- Re: [PEN-TEST] HTTP Secure Session State Management Mark Curphey (Dec 26)
- Re: [PEN-TEST] HTTP Secure Session State Management Drew Simonis (Dec 26)
- Re: [PEN-TEST] HTTP Secure Session State Management George Capehart (Dec 27)
- Re: [PEN-TEST] HTTP Secure Session State Management Robert van der Meulen (Dec 23)
- Re: [PEN-TEST] HTTP Secure Session State Management Mark Curphey (Dec 26)
- Re: [PEN-TEST] HTTP Secure Session State Management Drew Simonis (Dec 27)
- Re: [PEN-TEST] HTTP Secure Session State Management Mark Curphey (Dec 27)
- Re: [PEN-TEST] HTTP Secure Session State Management Robert van der Meulen (Dec 27)
- Re: [PEN-TEST] HTTP Secure Session State Management Dom De Vitto (Dec 27)
- Re: [PEN-TEST] HTTP Secure Session State Management Ian Charnas (Dec 27)
- Re: [PEN-TEST] HTTP Secure Session State Management Drew Simonis (Dec 28)
- Re: [PEN-TEST] HTTP Secure Session State Management van der Kooij, Hugo (Dec 28)
- Re: [PEN-TEST] HTTP Secure Session State Management Thomas Reinke (Dec 28)
- Re: [PEN-TEST] HTTP Secure Session State Management Matt W. (Dec 28)
- Re: [PEN-TEST] HTTP Secure Session State Management Drew Simonis (Dec 28)