8/9/2023 0 Comments Session hijacking attack![]() ![]() Do this each time the user successfully logs in. Collect this information on every request Don't do something that forces them to log in again every time they switch between computers. Remember that your user may have more than one computer so they may have more than one active session. If someone ever sends a cookie with the wrong serial number it means that an attacker may be using a cookie they intercepted earlier so invalidate the session UUID and ask the user to reenter their password and then reissue a new cookie. On the server side, keep a record of the last serial num you've issued for that session. You could even reissue it on every page view if you wanted to. Regularly change the serial num - maybe when the cookie is 5 minutes old and then reissue the cookie. SessionUUID, Serial Num, Current Date/TimeĮncrypt this string and use it as your session cookie. I'm not sure if this idea will work but here goes: Add a serial number into your session cookie, maybe a string like this: Make sure that whenever a user clicks on your site's "log out" link, that the old session UUID can never be used again. ![]() ![]() If the user has a cookie from a session that logged in more than a month ago, make them reenter their password. Even a successful hijaking attack will be thwarted when the cookie stops working. If an attacker has access to your machine I will assume they can copy your secure cookie too.Īt the very least, make sure old cookies lose their value after a while. The SSL only helps with sniffing attacks. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |