There's more than one way to do things | |
PerlMonks |
Re: CGI security problem:Netscape 6.X: browser session security weakness in clientby derby (Abbot) |
on Feb 04, 2002 at 13:56 UTC ( [id://143234]=note: print w/replies, xml ) | Need Help?? |
hackmare,
I don't consider this any more of a security risk than any other long running browser. All good session tracking should take into account inactivity. All good security-consience apps should never expose private information based on cookie values alone. It's one thing to show XXXX-XXXX-XXXX-1234 for credit card numbers based on cookie info, it's quite another to allow that value to be changed or allow shipping addresses to be changed based on cookie values alone - when dealing with private info always force re-authentication Also, you're just asking for trouble if you're using a random string generated by the browser for session ids (is this even true?). You, as a web programmer, have no control over that number (bad thing) and run the risk of session id collisions (very bad thing). All good apps would generate their own session id and send that back to the browser via cookie (and via URL mangling just in case the user will not accept cookies). Now can someone still hijack a session? You bet your life they can. It's just a reality of the biz and will always be that way. Can you do a lot to make that more difficult - Absolutely. MD5'ed sessionids can help tremendously - forcing re-authentication when displaying or allowing changes to private information is a must and never relying on browser generated info is a commandment. Since you can never depend on a user exiting the browser in the first place - this behaviour with NS6.X should not throw any web dev into a tizzy. -derby
In Section
Meditations
|
|