Re: Safe session IDs (How about Hijacking)

From: Kurt Seifried (bugtraqat_private)
Date: Fri Jan 11 2002 - 15:18:49 PST

Next message: Glynn Clements: "Re: Safe session IDs"

Previous message: Glynn Clements: "Re: Safe session IDs"
In reply to: Ryan M Harris: "Re: Safe session IDs (How about Hijacking)"
Next in thread: Giorgio Zoppi: "Re: Safe session IDs (How about Hijacking)"
Next in thread: Josh Daymont: "URL for Yarrow PRNG"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> Ooh, and here's a good question.  Once I get it to the client, how can I
> make sure that it wasn't hijacked via man-in-the-middle or a sniffer on
the
> client end?
>
> I used to use REMOTE_IP and REMOTE_USERAGENT stored on server end and
> compare to the value sent from the user.  But I need a way to ensure that
> the cookie wasn't grabbed on the way etc. now...
>
> Ryan

Use HTTPS. Anything else will require serious bodging.


Kurt Seifried, kurtat_private
A15B BEE5 B391 B9AD B0EF
AEB0 AD63 0B4E AD56 E574
http://www.seifried.org/security/

Next message: Glynn Clements: "Re: Safe session IDs"
Previous message: Glynn Clements: "Re: Safe session IDs"
In reply to: Ryan M Harris: "Re: Safe session IDs (How about Hijacking)"
Next in thread: Giorgio Zoppi: "Re: Safe session IDs (How about Hijacking)"
Next in thread: Josh Daymont: "URL for Yarrow PRNG"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sat Jan 12 2002 - 08:17:51 PST