lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
From: jlell at (Jakob Lell)
Subject: defense against session hijacking

On Tuesday 18 November 2003 14:18, Jason Ziemba wrote:
> I'm not going to claim that my method is fool-proof, but..
> If you are using sessions on your site then you should have the ability to
> track the movement of a user through-out your system.
> If you record the last page the user was on (with a specific session-id)
> and then check the referrer server variable on their next hit.  Compare
> the referrer to their last known page.  Most of the time (depending on the
> complexity of your site) the referrer and last known page should match.
> If their session is 'hijacked', odds are the 'hijacker' will not be
> following in a valid user's footsteps, more likely they will just be
> coming at the server with rogue data.  The referrer check won't match and
> thus the validity of the session request is also void.

if you open a link in a new tab or a new window and then open a link in the 
original tab/window, this check will fail and thus lock out legitimate users. 
Furthermore, it won't really help to improve security as the referer header 
can easily be spoofed.

Powered by blists - more mailing lists