Beefy Boxes and Bandwidth Generously Provided by pair Networks
Perl: the Markov chain saw
 
PerlMonks  

Re: Perl Cookie Encryption

by ant9000 (Monk)
on Apr 08, 2004 at 09:45 UTC ( [id://343552]=note: print w/replies, xml ) Need Help??


in reply to Perl Cookie Encryption

Having the cookie data encrypted does you no good at all, since the cookie itself is exactly the token needed to gain access to the server: if I get your cookie, I have access even without the password in clear.
You'd better rely on CGI:Session and build some more security into it, to make cross side scripting attacks more difficult. An easy way would be saving the remote IP together with browser signature inside the session, and rejecting any request not matching the stored info.
HTH,
Ant9000

Replies are listed 'Best First'.
Re: Re: Perl Cookie Encryption
by saintmike (Vicar) on Apr 08, 2004 at 22:38 UTC
    An easy way would be saving the remote IP together with browser signature inside the session, and rejecting any request not matching the stored info

    The client's IP often changes in between requests. If the client's ISP is using a rotating proxy (which many big ISPs do), this is so common that it renders this approach unusable.

    There is no 100% secure and browser-independent way to prevent a stolen cookie being replayed by the thief, impersonating the user.

      That's good to know. Cookies certainly seem to have their share of security holes. Looks like this isn't as easy as I originally thought. Nonetheless, it is a good learning experience. Thanks for your advice. Joe
        I have casually come across this link: Basic Web Session Impersonation: a good reading, the more so if you're new to the field of securing web applications.
        Ant9000

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: note [id://343552]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others making s'mores by the fire in the courtyard of the Monastery: (8)
As of 2024-03-29 13:21 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found