[unisog] Using cookies for authentication

Christopher A Bongaarts cab at tc.umn.edu
Fri Mar 7 20:22:30 GMT 2003


As Russell Fulton once put it so eloquently:

> What I am really focusing on is the risk of browser bugs and XSS bugs
> that might allow the cookie to be stolen.  We must assume that the
> attacker may have a web server under their control in the same domain as
> the cookie and that they may be able to induce users to visit the site.

For additional (but not guaranteed) safety, include the IP address of
the browser when you sign the cookie, and have applications verify the
IP of the browser presenting the cookie as part of the validation
process.

(Note that this doesn't work so well in the presence of portals or
NAT-style load balancers...)

%%  Christopher A. Bongaarts  %%  cab at tc.umn.edu       %%
%%  Internet Services         %%  http://umn.edu/~cab  %%
%%  University of Minnesota   %%  +1 (612) 625-1809    %%



More information about the unisog mailing list