[Owasp-testing] Copy Cookies

Bil Corry bil at corry.biz
Thu Jul 22 12:38:51 EDT 2010


Dave van Stein wrote on 7/22/2010 12:50 AM: 
>  All session tokens in high value applications SHOULD be tied to a specific
> HTTP client instance (session identifier and IP address).

There are some clients that sit behind a multi-IP proxy where each request originates from a different IP address.  AOL used to employ such a system.  Those clients, if they're important, must have an alternate system available that doesn't rely on the IP address (or allows more than one). 


> Each form or page nonce SHOULD be removed from the active list as soon as it
> is submitted.

If the nonce is rotated for each request, know that it will break the browser history (e.g. back button).  The impact to the user can be minimized by requiring they re-authenticate, then automatically perform the original request.



- Bil




More information about the Owasp-testing mailing list