comment on

Others have suggested perhaps better ways to generate a session ID to guarantee uniqueness, and have pointed out the spoofing problem. One technique you can use to help ameliorate the spoofing problem is in addition to having hard to guess unique IDs, you can store the IP address of the client in with your session info (optionally even encoding it (hashed, presumably) in the session ID itself). Then, when you validate a new session, you can test that the incoming IP address matches that stored for your session. If it is a mismatch, you can either ignore/report the request, or abort the entire session as being "compromised."

It is not foolproof (i.e. your attacker/spoofer could be coming from the same IP address as the spoofed session, or could even be spoofing the IP address), but it does add an extra layer of difficulty for the potential attacker, especially the attacker trying to randomly guess session IDs.

--JAS

In reply to Re: Sessions with perl cgi by jsegal
in thread Sessions with perl cgi by wolis

Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!

Titles consisting of a single word are discouraged, and in most cases are disallowed outright.

Read Where should I post X? if you're not absolutely sure you're posting in the right place.

Please read these before you post! —

Posts may use any of the Perl Monks Approved HTML tags:

a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr

You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)

	For:		Use:
	&		`&`
	<		`<`
	>		`>`
	[		`[`
	]		`]`

Link using PerlMonks shortcuts! What shortcuts can I use for linking?

See Writeup Formatting Tips and other pages linked from there for more info.