[ic] New SecureProtect directive to prevent sidejacking
Mike Heins
mike at perusion.com
Sat Oct 30 12:56:14 UTC 2010
Quoting Peter (peter at pajamian.dhs.org):
> On 30/10/10 17:13, Mike Heins wrote:
> > Quoting Peter (peter at pajamian.dhs.org):
> >> Why do we need to limit it to logged in users? Why can't we protect
> >> secure pages in the session before someone is logged in?
> >
> > Nothing stops you from generating your own MV_SHASH via another
> > process. Feel free.
> >
> > But what information would you base the hashing on? We can't use IP
> > address or MAC address, if they are sniffing. Session keys are kind of
> > pointless -- if you did that you would only be protected on
> > the *second* page. What's the point?
>
> What about just a random token stored in the session itself? If the
> secure cookie has the wrong token or non-existent then secure access is
> denied.
That prevents the multi-day de-authentication scheme.
>
> > And why would you put secure information in a session before someone
> > authenticates? In normal operation, you don't want to use SSL, and
> > why waste CPU cycles on a random non-authenticated user?
>
> Someone can go right through to checkout without logging in, and even
> complete checkout as a "guest" (albeit with an implicit login).
> Certainly a good deal of data can be accumulated just from the browsing
> habits of the user, what items they add to their cart, etc. before they
> login. On a multi-page checkout there is even personal telephone and
> address data that is stored and can be retrieved, and all before the
> customer has to login.
That type of behavior doesn't make them a target for sidejacking.
--
Mike Heins
Perusion -- Expert Interchange Consulting http://www.perusion.com/
phone +1.765.328.4479 <mike at perusion.com>
Being against torture ought to be sort of a bipartisan thing.
-- Karl Lehenbauer
More information about the interchange-users
mailing list