[unisog] in memory cookie safe from theft ??

Gary Flynn flynngn at jmu.edu
Tue Mar 11 14:06:01 GMT 2003


Russell Fulton wrote:

> The vendor of the software (this isn't something we have control over :(
> ) says that since the cookie isn't written to disk the cookie isn't
> vulnerable to being stolen via XSS bugs.  I can see that this definitely
> makes it more difficult but my gut feeling is that there are ways to
> trick the brower into giving up the cookie. This is particularly so if
> the web site with the XSS 'bug' is in the same domain as the site that
> issued the cookie. 

Russell,

Most web session management is done using cookies. That is the
way ASP, JSP, and probably PHP do it. I believe pubcookie does
it that way which mean Shibboleth probably will too. Not sure
about the Liberty Alliance or Passport. If there are problems
with the mechanism, more than your application will be affected :)

Any session ticket passed over a network to a possibly
insecure client has similar vulnerabilities for the life
of the ticket...even kerberos.

If the cookie is grabbed in some way, there are some things
to help keep a thief from being able to use it for session
hijacking. One thing that comes to mind is to embed the
client IP address, browser information, etc. into the cookie
and do compares each time it is submitted with a new request.
Sure, someone could kill the user's session completely, spoof
their IP address, and spoof or actually use the same browser
but it raises the fence.

> The thing I really hate about this is that the security depends on how
> the clients are configured!

Um. Whats new about that? ;)

-- 
Gary Flynn
Security Engineer - Technical Services
James Madison University

Please R.U.N.S.A.F.E.
http://www.jmu.edu/computing/runsafe



More information about the unisog mailing list