| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: jlell at JakobLell.de (Jakob Lell) Subject: defense against session hijacking On Tuesday 18 November 2003 14:18, Jason Ziemba wrote: > I'm not going to claim that my method is fool-proof, but.. > If you are using sessions on your site then you should have the ability to > track the movement of a user through-out your system. > > If you record the last page the user was on (with a specific session-id) > and then check the referrer server variable on their next hit. Compare > the referrer to their last known page. Most of the time (depending on the > complexity of your site) the referrer and last known page should match. > If their session is 'hijacked', odds are the 'hijacker' will not be > following in a valid user's footsteps, more likely they will just be > coming at the server with rogue data. The referrer check won't match and > thus the validity of the session request is also void. Hello, if you open a link in a new tab or a new window and then open a link in the original tab/window, this check will fail and thus lock out legitimate users. Furthermore, it won't really help to improve security as the referer header can easily be spoofed. Regards Jakob
Powered by blists - more mailing lists