"Never trust the client" is an old rule in security. Session information is stored on the server. The user can therefore change them if they want to. There seems to be some confusion between cookeis and session information here, so lets start by sorting that out:Ĭookies are stored on the client. However if the session token does not match strong criteria such as randomness, uniqueness, resistance to statistical and cryptographic analysis it might be possible for an attacker manipulate the session. The best practice to be protected would be to store the session token inside a cookie. Malware - Can hijack a browser to steal a it's cookie files without a user's knowledge.Cross-site scripting - When the attacker hacks the users computer into running a code which is treated as trustworthy because it appears to belong to the server, allowing the attacker to obtain a copy of the cookie or perform other operations.Session sidejacking - When the attacker can steal the session cookie through packet sniffing.Session fixation - When session id are being accepted from URL.Here are four main methods used to hijack a session : A badly configured site might store a token in the url, or does not generate a random one etc. But the attacker must use a valid session token which can be found easily if a site is badly configured. The attack is commonly known as session hijacking through cookie manipulation. So the attacker might change the session token to hijack a session. Session information is stored in server side (except the session token) while cookies in the other way are stored in the client side (browser). You should also use HTTPS wherever possible so that an attacker can't snoop on the HTTP payload and get a copy of the session key that way (this is how Firesheep worked). This is because having session data in the URL makes it so you have to put it in the URL of every link, stops you from persisting a session if the user leaves and comes back, copying the URL and sending it to someone gives them your session data and there is a limit of characters that a URL can be. Session keys should be unpredictable and able to be thrown away (possibly able for one user to have many session keys).Īs mentioned in the comments, the session key should be in the HTTP payload (cookies or form data ) and not in the URL. This is a really good example of how to do it wrong. If that user wanted to stop you, they couldn't as it is the key for all the sessions they are engaged in and can't be changed as it is the unique ID for them within the Moonpig database. There have been cases where best practice haven't been followed, for example Moonpig produced an API which used a session key that was the user's ID which is set on account creation as a consecutive number. This is why you need to have a unpredictable session key that can be revoked. Yes, if you can guess another user's session key then you can become them.
0 Comments
Leave a Reply. |