[Owasp-testing] Copy Cookies

Dave van Stein dvstein at gmail.com
Thu Jul 22 13:10:54 EDT 2010


2010/7/22 Bil Corry <bil at corry.biz>

> Dave van Stein wrote on 7/22/2010 12:50 AM:
> >  All session tokens in high value applications SHOULD be tied to a
> specific
> > HTTP client instance (session identifier and IP address).
>
> There are some clients that sit behind a multi-IP proxy where each request
> originates from a different IP address.  AOL used to employ such a system.
>  Those clients, if they're important, must have an alternate system
> available that doesn't rely on the IP address (or allows more than one).
>
>
> > Each form or page nonce SHOULD be removed from the active list as soon as
> it
> > is submitted.
>
> If the nonce is rotated for each request, know that it will break the
> browser history (e.g. back button).  The impact to the user can be minimized
> by requiring they re-authenticate, then automatically perform the original
> request.
>
>
>
> - Bil
>
>
Bill,

Like I said earlier that was just a copy/paste from the Testing Guide as
sample examples for minimizing the risk of session hijacking. As with every
problem and solution you should always find a balance between security,
functionality, usability and performance.

Dave
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-testing/attachments/20100722/7b2b853c/attachment.html 


More information about the Owasp-testing mailing list