I have an application, for which a cookie is generated for each instance it is running.
Now assume that I have two browser/machines. Let me call A and B. I am use the machines to hack an application where A is the victim and B the attacker/hacker.
I have looged into my application using A. By some reason (the user of A might not know), the cookie was given to B(by mail or by chat). Note that the application has not yet been logged out from A. Now B sets the cookie in his browser and can able to access the application.
I wan't to avoid it.i.e., even if B has the cookie, he should be able to acces the application.
Any one Please help me.
Make each cookie value temporary. That minimizes the problem, and is the solution most applications use.
If you are super paranoid, you can tie the cookie value to the client IP address. Still not perfect, but better than nothing.
Thanks for the reply.
But the cookies are already in the temporary sessions. I tried to tie it up with ipadress, but the problem is the application will have a performance defect because of checking with ipaddress each time.
I am not sure that this can be succeeded or not.Any further comments.