tags:

views:

314

answers:

5
Q: 

How to prevent cookie poisoning

I save data in a cookie to authenticate users for the next login (remember me option). This data is encrypted and hashed.

But here's the problem:

Anyone can take this cookie and put it on another machine and it will work.

I heard that is called cookie poisoning

How do I overcome this?

+3  A: 

Store the computer's IP address and/or hostname in the cookie (hashed) as well as your current scheme and validate that as well.

Daniel A. White  2009-10-27 19:18:59
specifically: hash the computers IP address before saving it in the cookie.
Martin Hohenberg  2009-10-27 19:19:59
This should be done with care, especially if you have a lot of users who work through proxies, or on AOL, since their sessions will constantly appear invalid.
Travis  2009-10-27 19:20:39
@travis yes, and many workplaces as well. we have 50+ users who appear on the same ip address where I work.
Byron Whitlock  2009-10-27 19:23:37
yes you can find a group of people working behind one ip,
islam khalil saber  2009-10-27 19:30:12
Multiple users behind one IP isnt really a problem for the solution outlined here - the problem comes if one user might legitimately issue requests from different IP addresses in the same session.
gnud  2009-10-27 19:47:21
For even more security, you could store the client's IP *and* User Agent (although the agent is easy to poof)
altermativ  2009-10-28 00:30:50
+2  A: 

The threat you're describing is that an adversary will steal a user's cookie and use it to access that user's session. One way to prevent against this is to store IP addresses or Hostnames as Daniel A White mentions, although if that's not possible there is no 100% secure way to negotiate this.

Here are a couple other options that can secure against this kind of attack:

  1. Use HTTPS for all session-based site traffic, and set your cookies to only transmit via HTTPS. If this is an option for you, this will prevent man-in-the-middle attacks.
  2. Set an additional cookie with a random value that changes on every request. If the random value is used more than once, you know a hijacker has gained access, and you can destroy the session for safety.
Travis  2009-10-27 19:28:43
Wouldn't the random value -- by definition -- have a chance of showing up again? As for storing hostnames or IP addresses, these can be spoofed.
BryanH  2009-10-27 19:31:03
so i need a good solution for this
islam khalil saber  2009-10-27 19:38:31
+1 I agree with storing some type of sessionID in the cookie. You could also develop a confidence function that gets triggered after login that analyzes current identifying information against previous information and force re-authenticate them if it's not a normal pattern. Say atleast two of the following {machine name, ip, browser header} match in the last 10 login records.
Chad  2009-10-27 19:47:03
The requirement of the random value is just that it is cryptographically secure and can't be guessed, so you could generate that value and prefix the microtime or something to ensure uniqueness.
Travis  2009-10-27 19:47:50
+2  A: 

You really can't stop it, but there are things you can do to make it harder and thereby less-attractive

  1. Require the user to use https (443) the entire session. This will prevent any man-in-the-middle attacks from sniffing the cookie

  2. Only allow one session to be active at a time. Once the second session shows up, the first session is invalidated.

  3. Require the user to provide his old password when changing the password; this will prevent someone from hijacking the account and easily changing the password.

  4. Have a very limited life for the session cookie - maybe a few hours.

That being said, since you have an open door into your system, you might want to ensure you're not storing any sensitive information that can be easily read by a user. So, for example, if a credit card or SSN is in the system, do not display it to the user.

BryanH  2009-10-27 19:29:39
A: 

but i see some sites like google preventing this ? and i read in wikipedia that i can eliminate Cookie poisoning using session identifier does any one have an idea how to do this.

islam khalil saber  2009-10-27 19:36:31
A: 

Even an identifier could be used to hijack a session (which is used anyway to identify a unique session). The tip about asking for old password before assigning a new one is ok but if you support kind of "Lost my password" feature you need to ask for password everytime critical information is changed in the account (such as email).

What Google did: they allow you to browse the "places" (or computer) that logged onto your account (because you may use it at home, at work, etc.) and to "close" those connections. In the event a connection is unknown to you, you can "close" it (close the session) and change you password immediately to make sure the hijacker doesn't use the your old password (if password was known of it).

JP  2009-10-27 22:05:29

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases