Re: How to protect against cookie stealing?

The first things you should do is to make sure you limit the chances an attacker has at getting a valid session cookie. A short list includes:

• generating sufficiently random tokens
• having a short session timeout
• destroying a token upon user logout
• eliminating cross site scripting issues from your site
• Using the HttpOnly flag on your cookie - http://msdn.microsoft.com/workshop/author/dhtml/httponly_cookies.asp ...

There are a couple of things you can think about using to make cookie theft a bit more difficult. (These ideas are really Jeremiah Grossman's not mine)

• Hash the token using the first octet of the IP address. I don't recall a valid user hoping across a Class A, though it could happen.
• Hash the token using the User-Agent string from the browser.

These two things can raise the bar for any would be cookie thief. If you employed both of these then the cookie thief would need to know that you where doing, then get the first octet of the victims IP and get the full user-agent string. This is not impossible of course but it raises the bar considerably.

Hope that helps. I know others will have good ideas as well.

Oh one more thing, I seem to recall IE will re-negotiate SSL sessions after a certain period of time so you can't really use SSL sessions.

On Wednesday, July 23, 2003, at 10:33 PM, Phil Cox wrote:

> All,
>
> I have a question on how people are handling cookie stealing and

---
Bill Pennington, CISSP, CCNA
Chief Technology Officer
WhiteHat Security Inc.
http://www.whitehatsec.com