0

To Avoid Session Hijacking after a user has logged In , what information can i rely on during login process to validate that indeed the legitimate user. So that someone who intercepts the session to relay will be invalidated

Are their Ip address and Browser Information good enough for it ?

kolossus
  • 20,559
  • 3
  • 52
  • 104
Deeptechtons
  • 10,945
  • 27
  • 96
  • 178

2 Answers2

3

Are their Ip address and Browser Information good enough for it ?

Definitely Not. The IP address can be spoofed and the browser can be retro-fitted to be a poor man's metasploit toolkit. See the Poster tool.

The OWASP project has very good pointers to protecting the session token and other good stuff relating to general web application security.

Trust NOTHING that didn't start from within your web application server's installation folder.

kolossus
  • 20,559
  • 3
  • 52
  • 104
  • The IP spoofing article linked really regards using a proxy to change your IP address, rather than impersonating another user's IP (which is what I'd call spoofing). You could use IP address as an extra check as well as using an unpredictable token value that is stored in a cookie, but the IP check does not protect against other users coming from behind the same firewall where NAT is used. Also, AOL and some other services can give a different IP to the same user over the course of their session. You can check browser info but this would only guard against casual attackers (Security by Ob..). – SilverlightFox Oct 08 '12 at 10:06
  • @SilverlightFox, I generally see spoofing as lying about your IP address :) – kolossus Oct 11 '12 at 06:16
  • You're not lying about the IP address, as when you connect via a proxy that IS your IP address. ;-) – SilverlightFox Oct 11 '12 at 13:24
1

You can require the user to re-authenticate (type in their password again) before doing something important, like changing their email address. There is no bulletproof protection against session hijacking, you need to choose how much usability you are prepared to sacrifice in the name of security.

Vitaly Osipov
  • 1,036
  • 6
  • 14
  • good catch. In my opinion, there's no bulletproof protection to anything in (web app) security. Security is a journey, not a destination – kolossus Oct 08 '12 at 15:57