in reply to Re^2: Identifying clients
in thread Identifying clients

The flaw (or feature) in the current design is that the session entries are cleared as soon as they expire. So if a user tries to continue with an expired session id, the application has no reference to be able to say if the session is simply expired or it's a malicious attempt to steal someone's session. That's the line of thinking that started the whole ip blocking plan.

Since I can't rely on the ip I don't think there's anything I can do to prevent a session attack so there's not much point blocking or timing anything ip or session related.

About the only thing I think I can do at this point is penalty box the user id after a failed login. At least then I can slow down a password attack, while not affecting an already logged in user.

Replies are listed 'Best First'.
Re^4: Identifying clients
by Firefly258 (Beadle) on Dec 08, 2006 at 20:56 UTC
    The flaw (or feature) in the current design is that the session entries are cleared as soon as they expire. So if a user tries to continue with an expired session id,...

    Consider this ID as invalid and indeed expired, then authenticate him/her again to generate a new session ID.

    About the only thing I think I can do at this point is penalty box the user id after a failed login.

    But consider a threshold, a number of tries before taking punitive action, a user might mistakenly enter his/her password quite repeatedly with no malicious intent at all, and you don't want to tick a user off at this sesnsitive time.

    perl -e '$,=$",$_=(split/\W/,$^X)[y[eval]]]+--$_],print+just,another,split,hack'er
[reply]
[d/l]

In Section Seekers of Perl Wisdom