Tuesday, 15 March 2011

security - Server-side checking if cookie stolen -


Is there a way to check that cookie has been stolen from user A by User B on the server side?

For example, cookie token / data has been created using a simple hash function (for example sha1)

  hash_of (user_agent, ip + proxy_p, username) , Random_sation_key) where user_ager is the user agent of the browser, the ip client is the ip address, proxyIP is the proxy's IP address client, the user name user is the username that is currently available Is counted, a random number is saved in a random number when a user is logged into   

that cookie was used to steal and used by someone else on the LAN, and the LAN Not using any proxy but using a NAT, and thief was using exactly the same browser (or cheat user agent), how do we find out on the server side?

Yes, there is a way. This is called.

Are you using SSL? (Because if you are not, then this whole conversation is useless).

Okay, you encrypt the cookie, but using the SSL session identifier. Assuming that the SSL gives you sufficient endpoint protection (strong cipher, etc.), the SCP can protect your data and tell you that another SSL session tries to use the same cookie (because in the session Changes happen, and so Mac will change). / P>

  key = hmac (user name | end time, secret_key) cookie = username | End time Encrypt (data, key) cookie = cookie | By default, you are creating a unique verification code based on the SSL session identifier: HMAC (username = expiration time | data | session, key)   

Note that REMOTE_ADDR or user agents are not always in the factors. Only this factor are things that are extremely trivial to unconscious unless you physically compromised the client box ...

No comments:

Post a Comment