All geek questions in one place

Session Security

I am working on a public site that will use database-enabled user sessions bound to a session id. I am trying to prevent session capture and tampering; The session data that I return to the client is of limited value in itself, but I would like to prevent wholesale theft. I developed a small diagram here, but I would like to receive feedback and criticism.

  • When a session begins, a unique key and a hash of their session data is provided to the client.
  • At each subsequent request, the client sends a session key + a hash of its session data.
  • If the session data is changed, a new hash value is provided to the client, reflecting their session data.
  • If the login request has an invalid hash that does not match the database, the session is marked as compromised. The request and all subsequent requests for the session lead to the creation of a new session by copying the compromised session. New sessions refer to the session in which they were copied for security audit purposes.

I believe that I can observe requests that are compromised to scan for large-scale attacks.

Thank you very much in advance.

+3
source share
4 answers

This seems relatively safe, but there are several ways you can get around this:

  • , . , //. , ... -.

  • , /, (, , ). , - ( , , ), , , .

+2

, . ?

, , . . , , .

, , , ?

:

  • IP-, , .

, SSL.

+2

.

, , , , - IP-, .

, IP , IP .

- URL. , , , - - - , ( ).

0

IP-. IP- NAT-. , , IP-.

In the past few years, there is another problem - the systems are much more mobile than before. I usually “sleep” my laptops instead of shutting them down, but that means that I come from different IP addresses at home, at work, in Starbucks, etc. This can lead to disconnection of servers with session timeouts of up to 15-30 minutes - I just need time so that I can get out of my office for lunch, etc.

0
source

Source: https://habr.com/ru/post/1706194/

More articles:


All Articles