Re^2: Identifying clients

The algorithm ought to treat unknown or expired session IDs as invalid and proceed to authenticate the user before generating a new, unique, valid session ID for the new session. This way there'd be no need to involve a potentially irritating time-out problem. A timeout should probably be used after repetetive failures to authenticate the user properly.

Also, by the very definition of a session, a session ought to expire after a certain period of inactivity, otherwise one could just do away with the need for sessions IDs to identify a "session" as a period of continuous involvement with the application and we could term the ID as a client ID instead as there'd be little or no variance.

perl -e '$,=$",$_=(split/\W/,$^X)[y[eval]]]+--$_],print+just,another,split,hack'er

Comment on Re^2: Identifying clients Download Code

Replies are listed 'Best First'.
Re^3: Identifying clients by ruzam (Curate) on Dec 07, 2006 at 18:14 UTC
The flaw (or feature) in the current design is that the session entries are cleared as soon as they expire. So if a user tries to continue with an expired session id, the application has no reference to be able to say if the session is simply expired or it's a malicious attempt to steal someone's session. That's the line of thinking that started the whole ip blocking plan. Since I can't rely on the ip I don't think there's anything I can do to prevent a session attack so there's not much point blocking or timing anything ip or session related. About the only thing I think I can do at this point is penalty box the user id after a failed login. At least then I can slow down a password attack, while not affecting an already logged in user.	[reply]
Re^4: Identifying clients by Firefly258 (Beadle) on Dec 08, 2006 at 20:56 UTC
The flaw (or feature) in the current design is that the session entries are cleared as soon as they expire. So if a user tries to continue with an expired session id,... Consider this ID as invalid and indeed expired, then authenticate him/her again to generate a new session ID. About the only thing I think I can do at this point is penalty box the user id after a failed login. But consider a threshold, a number of tries before taking punitive action, a user might mistakenly enter his/her password quite repeatedly with no malicious intent at all, and you don't want to tick a user off at this sesnsitive time. `perl -e '$,=$",$_=(split/\W/,$^X)[y[eval]]]+--$_],print+just,another,split,hack'er`	[reply] [d/l]