Securing Sessions using unique information
https://stackoverflow.com/questions/12758168
-
05-07-2021 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianDomanda
To Avoid Session Hijacking after a user has logged In , what information can i rely on during login process to validate that indeed the legitimate user. So that someone who intercepts the session to relay will be invalidated
Are their Ip address and Browser Information good enough for it ?
Soluzione
Are their Ip address and Browser Information good enough for it ?
Definitely Not. The IP address can be spoofed and the browser can be retro-fitted to be a poor man's metasploit toolkit. See the Poster tool.
The OWASP project has very good pointers to protecting the session token and other good stuff relating to general web application security.
Trust NOTHING that didn't start from within your web application server's installation folder.
Altri suggerimenti
You can require the user to re-authenticate (type in their password again) before doing something important, like changing their email address. There is no bulletproof protection against session hijacking, you need to choose how much usability you are prepared to sacrifice in the name of security.
