开发者

Stealing session id cookies - counter measures

It is easy to steal session id cookies with javascript functions planted in trusted sites by other users. What are the possible counter-measures for this kind of attack?

Rejecting all javascript scripts on the client-side is probably difficult because almost all sites use js. What are the possible counter-measures on the server-side? Is it possible to include a hash of the client ip-address in the session id value to prevent that a valid session id be used from another host? Does this approach make sense?

In one of the resources mentioned in开发者_StackOverflow社区 your valuable answers a solution is proposed where the session id is changed after every request. Is such a feature already supported by the app servers / frameworks? In particular how about Django/python?


It's really awkward to do IP to session mapping, because you don't have guarantees that people aren't using proxies, and those proxies could easily change IPs.

The best thing you can do is use SSL, and make your cookies HTTP-only.


You'd want to specify that some cookie is for some host, domain, subdomain or whatever. Cookies support that.

I don't think that you can access cookies from other domains.


Is it possible to include a hash of the client ip-address in the session id value to prevent that a valid session id be used from another host? Does this approach make sense?

This can block session hijacking in some situation, but in situation where the attacker computer and victim computer are on the same network, it won't do anything since the connection comes from the same IP address.

What are the possible counter-measures on the server-side ?

Using SSL will help prevent session hijacking if a person is connected to a public network.

You can review your code and make sure you have no XSS flaw in your code.

You can also make sure the cookie used to stored the session has the HTTP Only flag.


This is called XSS. The best solution in to prevent the planting of JavaScript code on the clients in the first place.

An interesting solution is to provide a token-based autentication to every user operation. Check out the OWASP CSRF page for more information.

Edit: As the comment says, the token won't help mitigating the session hijacking issue. As the Wikipedia article says about Session Hijacking, the best solution is to rotate the Session ID, possible every time the page reloads.


  • Only install javascript you trust. Inspect the source code(Maybe use some sort of XSS scanner) if you are unsure about code.
  • filter your javascript(from input) using for example this simple javascript snippet:

    function sanitize(html){
    `return String(html)
    .replace(/&(?!\w+;)/g, '&')
    .replace(/ .replace(/>/g, '>')
    .replace(/"/g, '"');
    }

You MUST also have good filtering(input) server-side. For example PHP has filter extension.

  • Use http-only cookies.
  • Use SSL.
0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜