1

I am building a product for my company on Odoo 8. I want to know how can i prevent my application from session hijacking. I have taken few steps for that :

  1. Changing session Id after successful login and Logout.

  2. Have used ssl also to encrypt data between client and sever.

But the security team of my company is not signing off my product since they said we can copy the cookie of logged in person and just past it into other browser and can easily access the account, But according to me that is possible if the machine is physically compromised. I don't know what should i do now.

Any help on this would be appreciable.

Seerat Mahajan
  • 11
  • 1

1 Answers1

0

If you have configured SSL properly, there sould be no way for attackers to get the cookies of the logged in user. The only way would be to copy paste it on the computer of the logged in user. But then, why not use the computer altogether without bothering to copy paste the cookie ?

You can demonstrate them by asking them to hack your account --without giving them your computer. Keep in mind that a lot of data transmission in Odoo is done via JSON-RPC. So make sure to encrypt that data as well.

This answer gives some valuable thoughts on session-hijacking in general https://stackoverflow.com/a/12545243/4832607

Community
  • 1
  • 1
Majikat
  • 722
  • 4
  • 13