-
Notifications
You must be signed in to change notification settings - Fork 23
Security considerations
Al Zohali edited this page May 12, 2017
·
2 revisions
Note: the author is not a security expert, this section might not cover all the security concerns.
For description see wikipedia article.
The suggested solution in the paper is to involve SSL session key into encryption algorithm. However, it is not desirable for at least two reasons:
- A
warpapplication might be running behind a web-server, which solely deals with SSL. In this case we will be unable to get the session key. - The default behaviour for SSL connections in major browsers is to time out after few minutes of inactivity. As the result we won't be able to use persistent cookies.
Nevertheless, we can mitigate the risks by using the following cookie flags:
-
Secure-- reject cookies that were transported over insecure connection. -
HttpOnly-- make cookies invisible to javascript running on a client page.
The case we cannot cover is when user cookies got stolen. There is no reliable way to detect whether it's a real user or an impersonated one.
For description see wikipedia article.
One of possible ways to defend from this attack would be like this:
- Add a token field in
AuthCookieDatarecord. - Fill it with random data at the login.
- Update forms and urls in pages so they pass toked as parameter.
- Write custom authentication handler that rejects request if token in the request and token in the cookie differ.