Is there a solution to the hole in "Improved Persistent Login Cookie Best Practice"?

Question

Initial idea: In the article "Improved Persistent Login Cookie Best Practice," (http://jaspan.com/improved_persistent_login_cookie_best_practice) bjaspan suggests a clever means of catching a would-be cookie thief by creating a series identifier, which in a nut shell, flags a possible security issue if two computers attempt to use the same series identifier.

Problem: However, as "The definitive guide to form-based website authentication" Part II, point 1, rightly points out, this is easily defeated by the hacker simply deleting the user's cookie after copying it for themself. Since this article is reasonably popular, it's likely that anyone with enough know-how to steal the cookie would likely know to delete the old one.

Question: Is there a solution that would overcome this? The benefit of being able to detect a cookie theft (even if not immediate), is fairly valuable for persistent login security. Is there a better way to prevent or detect cookie theft?

Answer 1

You should use only ssl connections (https), and if you use cookies, you need use the flag Secure (for send it only using ssl avoiding surf jacking attack), and also use the flag HttpOnly (for avoid xss, the browser will not give it to javascript), because you use the communication encrypted, the attacker can not decrypt it and modify (delete the cookie).

Answer 2

My personal opinion is that “Improved Persistent Login Cookie Best Practice” is still better. It's not always the case that the attacker has access to user's browser to delete the cookie while stealing. For example, conside a case where attacker gets the cookie from server side logs.