On Donnerstag, Jänner 30, 2003, at 11:57 Uhr, Jeff Kolber wrote: Hi.
one thing about sessions security that has been of concern to me since I read the OWASP 10 most critical web application security vulnerabilities that I'm not sure I fully understand is that with cookies or querystring sessionIDs its possible to spoof the session ID (by a lucky guess/brute force or eavesdrop) and hijack a session - they say one way to deal with this is to check the IP address of where your session user is and if it changes mid session -- I'm wondering if you run https are cookies still vulnerable or are they at least as protected as SSL makes them?I wouldn't attach a session to an IP address as it is quite common that a visitor's IP address changes frequently if he's behind some load balanced proxies (I debugged the resulting "strange behaviour" for quite a long time a few years ago).
If you want to make data stored in a cookie or querystring more secure and even simpler to handle, I suggest you take a look at Data::Serializer for example. Using this approach, you can work with only one parameter or cookie which consists of a serialized and encrypted perl data structure.
Florian
--
0699 109 24 24 5 - http://www.laudatio.com
