tags:

views:

48

answers:

1
Q: 

securing sessions

I know SO isn't traditionally used this way (or maybe it is), but I've been learning about webapp security and was thinking it would be nice and encouraging to hear from SO experts what they think of this article (I'm reading it now, it's on session security).

http://carsonified.com/blog/dev/how-to-create-bulletproof-sessions/

Maybe we can have a discussion of some kind, point out what the author misstated/forgot and what better practices are there?

For example when it comes to a different security topic like sql injections, many people recommend things like mysql_real_escape_strings, but the experts will tell you that nothing beats prepared statements. From the comments, this article seems to have its problems, so I'm wondering how far on the good or bad side his content is.

+1  A: 

I think the article is quite nice, however these are just the basic concepts and if somebody seriously tries to make a serious security aware application, things like this will be addressed. In other words, the level of the article is quite low.

Issues like a man-in-the-middle attack are not addressed here (although i can imagine that something like this is usually outside the scope of the application layer). Another possible vulnerability can be random number generation. So depending on the implementation of session key generation, the entropy of the session keys could be much lower as the maximum possible entropy which may or may not make brute force attacks feasible.

So it really depends on the security requirements you have how the solution will be, there is no single security solution that works in all cases. To apply the latter, imagine that you've got a valid session id and you know to which ip the session is bound. Also assume that the target in this example is a bank. Now i can perform a request to transfer money to my account, and make this work by spoofing my ip-address and providing the stolen session. Ok, the reply of my request will never arrive since the IP address is spoofed, but who cares, I got the money since the server accepted my request.

The point is that depending on the context, your security requirements and thus your security solution(s) may greatly vary.

Henri  2009-10-07 22:42:01

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security