Http Session security
Results 1 to 5 of 5

Thread: Http Session security

  1. #1
    Junior Member
    Join Date
    Jan 2003
    Posts
    11

    Http Session security

    I am a making a website witch uses sessions. When someone logs in the following happens:



    1. A random session id is generated and placed in the cookie

    2. The session id is also placed in a database alogn with the ip of the user the username of the user and the time the time this session was created

    Now this is what happens on every page that needs loggin in:

    1. The session id in the cookie is checked to match the sessionid in the database and the ip of the user is checked to match the ip in the database. if any dont match the user is asked to login.


    is this secure? how can i make it more secure? i know that if the user is on an insecure ethernet lan his session can get highjacked. How can i fix this?

    Thank you all

  2. #2
    Junior Member
    Join Date
    Jan 2003
    Posts
    11
    any ideas?

  3. #3
    Leftie Linux Lover the_JinX's Avatar
    Join Date
    Nov 2001
    Location
    Beverwijk Netherlands
    Posts
    2,534
    I think using https does a lot of the work for you in securing your connection...
    http://httpd.apache.org/docs-2.0/ssl/

    and don't forget a timeout (for cybercafe's and other multi-user situations like schools etc..)
    ASCII stupid question, get a stupid ANSI.
    When in Russia, pet a PETSCII.

    Get your ass over to SLAYRadio the best station for C64 Remixes !

  4. #4
    Senior Member
    Join Date
    Jan 2002
    Posts
    1,207
    Several things:

    1. Some users change IP during a session. This includes some AOL users to the best of my knowledge. Whilst you might not like AOL users, unfortunately they make up a rather large proportion of the internet (Sadly, even in countries which don't start with the letter A)

    These users would fail your session system.

    2. Ensure that your site is not vulnerable to cross-site scripting problems. If another user of your site manages to get some customised Javascript to be displayed in another user's session, he can hijack the cookie used for session maintenance, patch it into his own cookies.txt and therefore hijack the session.

    This is a classic attack against web applications and hotmail, etc have historically been vulnerable to it. Clearly depending on the nature of the application, you may be fairly safe.

    3. If you use HTTPS, ensure it's used for all pages which require authentication and make sure the "secure" attribute is set on the cookie. This will tell the browser never to send the cookie over a plain HTTP link (but doesn't protect against cross-site scripting)

    I would also recommend using either HTTP basic authentication over HTTPS, or client certificates instead. The former is easy to set up and not vulnerable to cross-site scripting, the latter is extremely secure (but has a big overhead on setup and requires the clients to have certificates)

  5. #5
    Junior Member
    Join Date
    Jan 2003
    Posts
    11
    Wow, very helpful slarty. thanks



    anyone know how hotmail or yahoo maintain sessions?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •