Below is a thorough security-model-to-prevent-session-jacking post that I
made earlier this year.
Peruse and enjoy.
Nat Papovich
ICQ 32676414
"Whatever you do may seem insignificant,
but it is most important that you do it." -M. Gandhi
-----Original Message-----
From: Nat Papovich [mailto:[EMAIL PROTECTED]]
Sent: Monday, January 31, 2000 10:07 AM
To: Fusebox Listserve (E-mail)
Subject: RE: IRenovate.com and fusetokens, RE: How to's on cookies and
sec urity
I'm not busy a'tall, just playing some Tribes :)
My cookie settin' code (which is my login page, but could be incorporated
into an app_globals):
make sure that they don't have a cfid or cftoken set as a cookie (which I'm
not doing, which means no "remembering" people across sessions)
<cfcookie name="CFID" value="" expires="NOW">
<cfcookie name="CFTOKEN" value="" expires="NOW">
make sure they don't have one of my cool long-ass hard-to-guess wombatids as
a cookie
<cfcookie name="wombatid" value="" expires="NOW">
assemble this gigantic wombatid thing
<CFSET
TDSTAMP="#DateFormat(Now(),'mmddyyyy')##TimeFormat(Now(),'hhmmss')#">
<CFSET RANDOMNUM1=RAND()*100000000>
<CFSET RANDOMNUM2=RAND()*100000000>
which is a random 1 to 100 million number, then a date and time stamp (to
the second), then a UUID generated by CF (which, BTW, isn't random, but is
sequentially unique), followed by another 1 to 100 million number.
<CFSET ID="#RANDOMNUM1##TDSTAMP##CreateUUID()##RANDOMNUM2#">
then hash it using the best crypto around
<CFX_HASH CIPHER="HAVAL" INPUTSTRING=#ID# VARIABLE="WOMBAT" >
and place it as a cookie on the browser. Notice that by not setting an
"expires" it will die when the browser is closed and cannot be read in the
cookies folder, and will still get set if the browser it set to "no
cookies". You're at about a jillion jillion to 1 for guess this puppy right
now.
<cfcookie name="wombatid" value="#wombat#">
then, after a successful login, (or if you're not doing a login, but instead
doing this just to maintain session, you can stick it right after the above
code, but take out the "cookie." from "#cookie.wombatid#" cuz it won't have
been set yet) you set a client (or session) var to the value of the
wombatid. Now you have two copies of the same long-ass hard-to-guess number,
one in a cookie, one in a client/session var.
<cfif IsDefined("cookie.wombatid")>
<cfset client.wombatid="#cookie.wombatid#">
</cfif>
So for every page request, (app_globals) you check to see if the long-ass
hard-to-guess string that's set in a user's cookie matches the one that you
have set in a client var. If not, I boot them, and make a note of their
surfing info, including who they were trying to impersonate and their IP, so
I can lock them out if need be, but you could instead set them up with a
fresh session and a new cookie.
<cfif IsDefined("cookie.wombatid") and IsDefined("client.wombatid") and
IsDefined("client.urltoken")>
<cfif not #cookie.wombatid# is #client.wombatid#>
<cfcookie name="wombatid" value="" expires="NOW">
<cffile action="append"
file="e:\cflog\sessionfail\sessionfail-#DateFormat(Now(),'yyyy_mm_dd')#.log"
addnewline="yes" output="#cgi.remote_addr#, #TimeFormat(now())#,
#client.userid#, #client.username#">
<cflocation url="../expired.html" addtoken="No">
</cfif>
<cfelse>
<cflocation url="../expired.html">
</cfif>
I developed this system with the intent to cut out session highjacking, not
enable indexed urltokens, so it might be flawed somewheres, but with a
little monkeying, it should solve whatever yer problem is.
Hope that helped.
Nat "Long on ALLR" Papovich
[EMAIL PROTECTED] ICQ 32676414
"Whatever you do may seem insignificant,
but it is most important that you do it." -M.K. Gandhi
-----Original Message-----
From: Todd Hartle [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, August 02, 2000 9:19 AM
To: [EMAIL PROTECTED]
Subject: Application Security
I am looking for a white paper or text concerning application and data
security standards. What I am concerned with is models that ensure that data
associated with one customer will not be inadvertently revealed to any
other. User authentication and other measures similar to these especially
under cold fusion/fusebox.
What I am Not concerned with is firewalls, latest security patchs, UPSs and
the like. Any help is greatly appreciated.
________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com
----------------------------------------------------------------------------
--
To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/fusebox or
send a message to [EMAIL PROTECTED] with 'unsubscribe' in
the body.
------------------------------------------------------------------------------
To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/fusebox or send a
message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
