views:

173

answers:

3

How do I protect my users from session hijacking?

+1  A: 

From StackOverflow's creators blog
Preventing CSRF and XSRF Attacks

Found by Googling "Prevent csrf"
http://www.google.com/search?client=safari&rls=en&q=prevent+csrf&ie=UTF-8&oe=UTF-8

Christopher Altman
Session riding is one of many attacks that can compromise a session.
Rook
Good point, when I read this question my mind went immediately to cross site request forgery, but you are right, there are man in the middle and other attacks.
Christopher Altman
+1  A: 

One way that I know of is to check for consistancy in the ip address of the user. By this I meen checking that the current ip address match the ip address last used during the same session. This would however not stop session hijacking from someone using the same ip address.

RadiantHeart
... and it doesn't stop session riding with xsrf or xss.
Rook
+3  A: 

There are three sections in the Owasp Top 10 for 2010 that you should read.

1: (!!) A3: "Broken Authentication and Session Management." (!!)

2: "Cross Site Request Forgery" (XSRF)

3: "Cross Site Scripting" (XSS)

Rook