Fog Creek Software
Discussion Board




Sessionbased logins, how secure?

Ive used session cookies for making login thingies in both ASP, PHP and JSP. (When security was important I always used whatever features the server provided for this purpose, so I never even wondered about how secure the manual session thingy is.)

Ie. a login page queries the database and if UID and PW matches a sessionvariable is set to the user ID or something.
Then all protected pages start with an if statment that only prints the rest of the page if the cookie is set.

Is this a good way to do it?

Eric DeBois
Tuesday, July 29, 2003

Good question, I would really like to see the opinions. Is there any other way (except session based) available ?

Evgeny Goldin
Tuesday, July 29, 2003

A setup as you have described is extremely vulnerable unless you are using TLS.

Look at using HTTP digest authentication as another option.

matt
Tuesday, July 29, 2003

http://www.owasp.org/asac/auth-session/hijack.shtml

http://www.owasp.org/guide (chapters 6 and 7)

http://www.acros.si/papers/session_fixation.pdf

http://fishbowl.pastiche.org/archives/docs/PasswordRecovery.pdf

Scot
Tuesday, July 29, 2003

You can add some simple things to increase the security of using session cookies, like storing and validating the IP address and other client-side information (browser verison, OS version, etc.). These things are easily compared.

It makes sense to use HTTPS, though.

Brad Wilson (dotnetguy.techieswithcats.com)
Tuesday, July 29, 2003

I think the setup described is simple and robust.
To highjack a session like this one either listens for a password and user name, or a cookie. Thus
you may want to make sure that the passwords travel over https and can't be sniffed. A lost session will expire at some point, and is not as vulnerable as the password loss.

There is an excellent book "Web Hacking: attacks and defense" by S. McClure and others. It shows you how people crack into web boxes and actually recommends using a random session ID. Https is desirable, but if it is too much of a performance hit, drop it ...

Mr Curiousity
Tuesday, July 29, 2003

"You can add some simple things to increase the security of using session cookies, like storing and validating the IP address and other client-side information (browser verison, OS version, etc.). These things are easily compared."

IP could be useful, but what if people connect over a modem and get a different IP after a disconnect?

Everything else is easily to fake, so do not bother.

Anyway, a long random session ID is as good as it gets ...

Mr Curiousity
Tuesday, July 29, 2003

Someone who can hijack your session cookie can just as easily fake browser and os version strings.  Faking the IP address of the client should be harder, but I really don't have a good idea how much more secure this makes it.
I think the Right Way to do this is SSL.  The Pretty Good Way to do it is Digest Authentication, though this is usually harder to configure than a page that checks username/pw.

Brian
Tuesday, July 29, 2003

So what I gather is:
Its safe enough for non-sensetive stuff, where no money or personal info is involved.

By storing the IP and continually checking to see if the session is still in the hands of the computer that logged in security can be increased somewhat.

Thanks a bunch =D

Eric DeBois
Tuesday, July 29, 2003

Coding to IP Address can be a tricky thing. With AOL clients the IP Address can change several times within a session. I am also seeing this same action with some of our Bell South users in central and southern Florida.

Jeff
Tuesday, July 29, 2003

Any idea what causes requests in the same session to come from different IP addresses?  Some sort of load balanced web proxy?

Brian
Wednesday, July 30, 2003

From AOL, I can only assume that a load balancer is the problem. From Bell South I have been told it is done to mess with people that share their connection. My Comcast DHCP address is changed every night around midnight well before the address expires. Every now and then it tricks up my Linksys and I have to restart it.

Jeff
Wednesday, July 30, 2003

*  Recent Topics

*  Fog Creek Home