Session hijacking is one of the most common problems caused by improper handling of these convenient functions of the Internet. There is always more that can be done but these will get you started.Ĭookies can be the source of many security vulnerabilities in a web application. Make sure the value within the cookie is completely unpredictable, transmit session cookies via SSL, make it easy to end sessions, set the HTTP attribute on the session cookie to true, and restrict the domain and path as much as possible. There are a number of things that you can do to your cookies to make them more secure. This is done in rails by setting the secure hash value of the cookie to true:ġ cookies. This ensures the cookie itself will only be transmitted over an SSL connection. This is done in Rails 3.x by adding the following line to your application config file ( config/application.rb).Īnother, less draconian, method is to set the cookie as “secure”. The most complete method is by forcing a secure connection for every request. There are a few ways to ensure cookies are always transmitted via SSL. This is because the key used to identify a user is being passed openly through the air for anybody to grab. This form of session hijacking is easily accomplished at the local coffee shop or any other establishment that offers open, unencrypted WiFi connectivity. Without the encrypted tunnel that SSL provides, cookies can be intercepted in transit making the interceptor indistinguishable from the real user. This means that in order to keep cookies safe, they must be transmitted via SSL, every time. Firesheep, the popular Firefox add-on, made this fact painfully obvious by providing an easy way to hijack sessions that are not encrypted. It doesn’t matter how unpredictable the session token’s value is, if it is being sent from the client to the server in the clear, it is not secure. Therefore, it is already protected against the easiest method for hijacking a session - prediction. The session token that Rails provides uses an unpredictable value by default, known as the session ID. (You can find the unique secret token in config/initializers/secret_token.rb.) Doing so virtually prevents the value from being tampered with. It does this by using the ActionSupport key generator along with your application’s secret token that is automatically generated by Rails. idĬalling the signed method on cookies encrypts the value. A minor change to the cookie makes the same value unpredictable.ġ cookies. Change the cookie value to 34 and you are now that user. If the value of the cookie is always 35, for example, it is easy to guess that there is a user with an id of 34. Therefore, after someone logs in to this application, they can simply change the value of the cookie stored in their browser to hijack another user’s session. The following is the worst way you could store this id in Rails.ġ cookies = user. For example, a simple value for a session cookie might be the user’s id. The first step that should be taken to protect your cookies is to use an unpredictable value inside the cookie. This attack is known as session hijacking. The theft can be accomplished in several ways: predictable session token value, man-in-the-middle attack, cross-site scripting, and others. If this cookie is stolen, an attacker can pose as the compromised user with all of their privileges. The convenience this session token provides does not come without a cost. Typically, when a user logs in, an identifier is saved inside this session token for future authentication. There are other uses for cookies but session hijacking focuses on authentication cookies, known as session tokens.īecause session tokens are so common, Rails provides one automatically for every application. They may store user preferences, track a user’s browsing habits, or authenticate a user without requiring him/her to enter usernames and passwords on every request. Cookies are used for a variety of reasons. What Is Session Hijacking?įirst, some context. Session hijacking is among the most common and potentially destructive cookie attacks. There are a number of attacks that utilize improper use of session cookies. Unfortunately, they're also good for hijacking application sessions and impersonating users. Browser cookies are a good way to provide a stateless protocol with some memory.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |