lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <200311191533.24449.jlell@JakobLell.de>
From: jlell at JakobLell.de (Jakob Lell)
Subject: defense against session hijacking

On Tuesday 18 November 2003 14:18, Jason Ziemba wrote:
> I'm not going to claim that my method is fool-proof, but..
> If you are using sessions on your site then you should have the ability to
> track the movement of a user through-out your system.
>
> If you record the last page the user was on (with a specific session-id)
> and then check the referrer server variable on their next hit.  Compare
> the referrer to their last known page.  Most of the time (depending on the
> complexity of your site) the referrer and last known page should match.
> If their session is 'hijacked', odds are the 'hijacker' will not be
> following in a valid user's footsteps, more likely they will just be
> coming at the server with rogue data.  The referrer check won't match and
> thus the validity of the session request is also void.

Hello,
if you open a link in a new tab or a new window and then open a link in the 
original tab/window, this check will fail and thus lock out legitimate users. 
Furthermore, it won't really help to improve security as the referer header 
can easily be spoofed.
Regards
 Jakob


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ