[Owasp-testing] Copy Cookies
Dave van Stein
dvstein at gmail.com
Thu Jul 22 13:10:54 EDT 2010
2010/7/22 Bil Corry <bil at corry.biz>
> Dave van Stein wrote on 7/22/2010 12:50 AM:
> > All session tokens in high value applications SHOULD be tied to a
> > HTTP client instance (session identifier and IP address).
> There are some clients that sit behind a multi-IP proxy where each request
> originates from a different IP address. AOL used to employ such a system.
> Those clients, if they're important, must have an alternate system
> available that doesn't rely on the IP address (or allows more than one).
> > Each form or page nonce SHOULD be removed from the active list as soon as
> > is submitted.
> If the nonce is rotated for each request, know that it will break the
> browser history (e.g. back button). The impact to the user can be minimized
> by requiring they re-authenticate, then automatically perform the original
> - Bil
Like I said earlier that was just a copy/paste from the Testing Guide as
sample examples for minimizing the risk of session hijacking. As with every
problem and solution you should always find a balance between security,
functionality, usability and performance.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-testing