|
|
| Applications |
| Mailing Lists |
| Miscellaneous |
| Operating Systems |
| Programming |
RE: Session Fixation
Date: Mon Mar 31 2003 - 16:41:21 EST
>From: Information Security <InformationSecurity@federatedinv.com>
>To: "'alex@netWindows.org'" <alex@netWindows.org>,webappsec@securityfocus.com
>Subject: RE: Session Fixation
>Date: Mon, 31 Mar 2003 15:08:07 -0500
>
>Thanks for the comments. I disagree with a few, let me know what you think:
The pitfalls of relying on a client IP for session validation and authentication have been discussed in depth before. But client IP's can be used as part of an equation that is then hashed to make the initial session ID. If an attacker can guess how sessions are generated, session hijacking becomes easier. So it is best to use a few different sources in your equation.
An equation with multiple sources can make it harder for an attacker to guess a valid session. Basically you want something you know is guaranteed unique (so no two sessions are the same), sufficiently random (hard to guess) and contains one secret.
For example,
Current Time - guaranteed unique.
Random Function - pseudo random number.
Client IP - ex. 65.78.98.20
Server Secret - "the king is great!"
SESSSIONID = SaltedHASH(current time + random number + client IP + server secret)
The hash can use algorithms such as MD5 (128b) SHA-1 (160b) or SHA-256 (256b)
An attack can know the algorithm used, may know the client IP and might figure out the time the session was generated, but would not know the random number or server secret.
Of course, most popular server side delveopment languages can automatically generate session ID so this is not a concern for most developers.
Noam Eppel
secure@noameppel.com
Web Security Consultant
Received on Mon Mar 31 17:19:53 2003
This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:07:49 EDT
|
Contact Us Legal Notices Order Services Online Pantek Home Privacy Policy IT news Site Map Pantek Library |