I have an application, for which a cookie is generated for each instance it is running.
Now assume that I have two browser/machines. Let me call A and B. I am use the machines to hack an application where A is the victim and B the attacker/hacker.
I have looged into my application using A. By some reason (the user of A might not know), the cookie was given to B(by mail or by chat). Note that the application has not yet been logged out from A. Now B sets the cookie in his browser and can able to access the application.
I wan't to avoid it.i.e., even if B has the cookie, he should be able to acces the application.
Any one Please help me.
-
Disable Hacking through Cookies (2 messages)
- Posted by: Gulapala Rajasekhar
- Posted on: December 14 2005 00:53 EST
Threaded Messages (2)
- Disable Hacking through Cookies by Paul Strack on December 14 2005 23:13 EST
- Disable Hacking through Cookies by Gulapala Rajasekhar on December 15 2005 04:24 EST
-
Disable Hacking through Cookies[ Go to top ]
- Posted by: Paul Strack
- Posted on: December 14 2005 23:13 EST
- in response to Gulapala Rajasekhar
Make each cookie value temporary. That minimizes the problem, and is the solution most applications use.
If you are super paranoid, you can tie the cookie value to the client IP address. Still not perfect, but better than nothing. -
Disable Hacking through Cookies[ Go to top ]
- Posted by: Gulapala Rajasekhar
- Posted on: December 15 2005 04:24 EST
- in response to Paul Strack
Thanks for the reply.
But the cookies are already in the temporary sessions. I tried to tie it up with ipadress, but the problem is the application will have a performance defect because of checking with ipaddress each time.
I am not sure that this can be succeeded or not.Any further comments.