[Owasp-testing] Copy Cookies
bil at corry.biz
Thu Jul 22 12:38:51 EDT 2010
Dave van Stein wrote on 7/22/2010 12:50 AM:
> All session tokens in high value applications SHOULD be tied to a specific
> HTTP client instance (session identifier and IP address).
There are some clients that sit behind a multi-IP proxy where each request originates from a different IP address. AOL used to employ such a system. Those clients, if they're important, must have an alternate system available that doesn't rely on the IP address (or allows more than one).
> Each form or page nonce SHOULD be removed from the active list as soon as it
> is submitted.
If the nonce is rotated for each request, know that it will break the browser history (e.g. back button). The impact to the user can be minimized by requiring they re-authenticate, then automatically perform the original request.
More information about the Owasp-testing