in reply to Sessions with perl cgi

Others have suggested perhaps better ways to generate a session ID to guarantee uniqueness, and have pointed out the spoofing problem. One technique you can use to help ameliorate the spoofing problem is in addition to having hard to guess unique IDs, you can store the IP address of the client in with your session info (optionally even encoding it (hashed, presumably) in the session ID itself). Then, when you validate a new session, you can test that the incoming IP address matches that stored for your session. If it is a mismatch, you can either ignore/report the request, or abort the entire session as being "compromised."

It is not foolproof (i.e. your attacker/spoofer could be coming from the same IP address as the spoofed session, or could even be spoofing the IP address), but it does add an extra layer of difficulty for the potential attacker, especially the attacker trying to randomly guess session IDs.

--JAS

Replies are listed 'Best First'.
Re: Re: Sessions with perl cgi
by MidLifeXis (Monsignor) on Oct 17, 2003 at 16:41 UTC

    This assumes that your clients are not accessing through a proxy. A proxy could introduce one of two "problems" to this...

    • Multiple clients come through the same proxy
    • One client can come through multiple proxies

    Situation 1 could happen with a large provider (AOL, for example). Situation 2 could happen with a farm of load balanced proxies / NAT / firewalls.

    Point being that this could generate some false positives (from a hack detection view), but if you can live with that, then yes, jsegal's suggestion does have merit :)

    --MidLifeXis

[reply]

In Section Seekers of Perl Wisdom