Loading ...
Sorry, an error occurred while loading the content.

Re: Protecting against Cookie copying

Expand Messages
  • Martin Moss
    Thanks everyone. You ve done a good job of assuring me that I haven t missed the whole point of the way these things work. There s been some really useful
    Message 1 of 5 , Nov 8, 2004
    • 0 Attachment
      Thanks everyone. You've done a good job of assuring me
      that I haven't missed the whole point of the way these
      things work.

      There's been some really useful ideas, suggested and
      I'm going to have a think about which, if any, are
      worth implementing.

      Ultimitely I'm upgrading our site from normal Basic
      authentication, which sends username and password
      unencrypted anyway, so compared to that the security
      upgrade is still a big increase!

      Marty





      --- Sam Tregar <sam@...> wrote:
      > On Mon, 8 Nov 2004, Martin Moss wrote:
      >
      > > I'm looking into ways of uniquely identifying a
      > > computer.
      >
      > Intel tried to implement this a while back with a
      > unique ID in the
      > CPU. The public was not ammused. If you do find a
      > way, please tell
      > us so we can find a workaround.
      >
      > > What I wish to do is prevent another user copying
      > the
      > > session cookie, from one computer to another, and
      > then
      > > gaining access.
      >
      > You can get close by using a very short session
      > timeout, tying the IP
      > to the cookie and putting a serial number on each
      > form. I believe
      > this is what my bank does. Sure, the IP can be
      > spoofed or shared, and
      > hackers can automate systems to defeat the timeouts
      > and serial
      > numbers, but it definitely raises the bar. As an
      > added bonus, the
      > serial numbers also help with the ubiquitous
      > catastrophe which is the
      > back button.
      >
      > -sam
      >
      > --
      > Report problems: http://perl.apache.org/bugs/
      > Mail list info:
      > http://perl.apache.org/maillist/modperl.html
      > List etiquette:
      > http://perl.apache.org/maillist/email-etiquette.html
      >
      >





      ___________________________________________________________ALL-NEW Yahoo! Messenger - all new features - even more fun! http://uk.messenger.yahoo.com

      --
      Report problems: http://perl.apache.org/bugs/
      Mail list info: http://perl.apache.org/maillist/modperl.html
      List etiquette: http://perl.apache.org/maillist/email-etiquette.html
    Your message has been successfully submitted and would be delivered to recipients shortly.