Re: Re: Perl Cookie Encryption

An easy way would be saving the remote IP together with browser signature inside the session, and rejecting any request not matching the stored info

The client's IP often changes in between requests. If the client's ISP is using a rotating proxy (which many big ISPs do), this is so common that it renders this approach unusable.

There is no 100% secure and browser-independent way to prevent a stolen cookie being replayed by the thief, impersonating the user.

Comment on Re: Re: Perl Cookie Encryption

Replies are listed 'Best First'.
Re: Re: Re: Perl Cookie Encryption by JoeJaz (Monk) on Apr 09, 2004 at 02:11 UTC
That's good to know. Cookies certainly seem to have their share of security holes. Looks like this isn't as easy as I originally thought. Nonetheless, it is a good learning experience. Thanks for your advice. Joe	[reply]
Re: Re: Re: Re: Perl Cookie Encryption by ant9000 (Monk) on Apr 21, 2004 at 11:46 UTC
I have casually come across this link: Basic Web Session Impersonation: a good reading, the more so if you're new to the field of securing web applications. Ant9000	[reply]