All geek questions in one place

Server side check if cookie is stolen

Is there a way to check if a cookie from user A was stolen by user B on the server side?

e.g. tokens / cookie data created using a simple hash function (e.g. sha1)

hash_of(user_agent,ip+proxy_ip,username,random_session_key) where user_agent is browser user agent, ip is the client IP address, proxy_ip is the proxy IP address the client use, username is the username the user currently login, random_session_key is a random number saved to database when a user logged in

if this cookie was stolen and used by another person on the local network, and the LAN does not use a proxy server, and NAT and the thief used the exact same browser (or spoofed a user agent), how do we find out on the server that?

+4
source share
2 answers

Yes, there is a way. It is called Secure Cookie Protocol .

Are you using SSL correctly? (because if you do not, this whole conversation is pointless).

Well, you encrypt the cookie, but use the SSL session id. Assuming SSL gives you adequate endpoint security (strong ciphers, etc.), SCP should protect your data and let you know when another SSL session tries to use the same cookie (because sessionid is changing, and therefore MAC will change).

 key = HMAC(user name|expiration time, secret_key) cookie = user name|expiration time|encrypt(data, key) cookie = cookie | HMAC( user name|expiration time|data|sessionid, key)

Thus, you create a unique verification code based on the SSL session ID.

Note that REMOTE_ADDR or the user agent never affects. The only factors that he uses are things that are extremely non-trivial to substitute if you have not physically compromised the client box ...

+5
source

If the cookie was captured, it's too late . The app must properly protect its secrets. Useragenet is controlled by the attacker, verifying that this value is unsafe by nature.

OWASP - Inadequate transport layer security .

HTTPOnly Cookies "Safe" Cookies

Prevent XSS, CSRF, and Clickjacking and commit session.

+1
source

Source: https://habr.com/ru/post/1487443/

More articles:


All Articles