Re: Re: Perl Cookie Encryption


There's more than one way to do things
	PerlMonks

Re: Re: Perl Cookie Encryption

by saintmike (Vicar)

on Apr 08, 2004 at 22:38 UTC ( [id://343787]=note: print w/replies, xml )

Need Help??

in reply to Re: Perl Cookie Encryption
in thread Perl Cookie Encryption

An easy way would be saving the remote IP together with browser signature inside the session, and rejecting any request not matching the stored info

The client's IP often changes in between requests. If the client's ISP is using a rotating proxy (which many big ISPs do), this is so common that it renders this approach unusable.

There is no 100% secure and browser-independent way to prevent a stolen cookie being replayed by the thief, impersonating the user.

Comment on Re: Re: Perl Cookie Encryption

Replies are listed 'Best First'.
Re: Re: Re: Perl Cookie Encryption by JoeJaz (Monk) on Apr 09, 2004 at 02:11 UTC
That's good to know. Cookies certainly seem to have their share of security holes. Looks like this isn't as easy as I originally thought. Nonetheless, it is a good learning experience. Thanks for your advice. Joe	[reply]
Re: Re: Re: Re: Perl Cookie Encryption by ant9000 (Monk) on Apr 21, 2004 at 11:46 UTC
I have casually come across this link: Basic Web Session Impersonation: a good reading, the more so if you're new to the field of securing web applications. Ant9000	[reply]

In Section Seekers of Perl Wisdom

Domain Nodelet^?

www.com | www.net | www.org

Node Status^?

node history
Node Type: note [id://343787]
help

Chatterbox^?

How do I use this? • Last hour • Other CB clients

Other Users^?

Others exploiting the Monastery: (3)

As of 2024-04-19 19:06 GMT

Sections^?

Information^?

Find Nodes^?

Leftovers^?

Today I Learned

Voting Booth^?

No recent polls found