security - How does the addition of a series identifier help in this persistent login implementation? -

-

original "remember me" login implementation: http://fishbowl.pastiche.org/2004/01/19/persistent_login_cookie_best_practice/

addition: http://jaspan.com/improved_persistent_login_cookie_best_practice

millers original implementation of "remember me" persistent login function easy enough me understand - no problems there.

what's puzzling me though how addition of of "series identifier" in improved version helps - since if "remember me" cookie stolen attacker presents cookie site , can use until original user tries use own cookie - @ point, because credentials don't match, details wiped database , user , attacker "logged out".

until original user attempts use cookie though - can't attacker use stolen credentials?

if understood well, problem miller implementation according jaspan victim doesn't know cookie stolen.the goal display message user saying victim of session hijacking.

as attacker after using stolen cookie receive new 1 new random token, have detect if using old cookie authenticate, detect potential session hijacking.

so jaspan proposes, instead of keeping tracks of old cookies, (permanently) link long, random , unpredictable id user added cookies.

finally instead of detecting old valid cookies, if username , id present in cookie match, , check token. if token not match, username matches id, can deduce cookie once valid , there might session hijacking (or legitimate user using different device :))

this solution not prevent session hijacking cookie stealing, allows warn user @ login session may have been hijacked.


Comments

Post a Comment

Popular posts from this blog

javascript - Karma not able to start PhantomJS on Windows - Error: spawn UNKNOWN -

-
i lost "unknown" error: karma.conf.js: frameworks: ['mocha', 'should'], plugins: ['karma-mocha', 'karma-should', 'karma-phantomjs-launcher'], ... browsers: ['phantomjs'], error: 23 07 2015 14:35:37.691:warn [karma]: no captured browser, open http://localhost:9876/ 23 07 2015 14:35:37.701:info [karma]: karma v0.13.3 server started @ http://localhost:9876/ 23 07 2015 14:35:37.707:info [launcher]: starting browser phantomjs 23 07 2015 14:35:37.738:error [karma]: { [error: spawn unknown] code: 'unknown', errno: 'unknown', syscall: 'spawn' } error: spawn unknown @ exports._errnoexception (util.js:749:11) @ childprocess.spawn (child_process.js:1093:11) @ exports.spawn (child_process.js:933:9) @ object._execcommand (c:\users\jinga4x\git\mdl-sample-project\node_modules\karma\lib\launchers\process.js:63:21) @ object._start (c:\users\jinga4x\git\md
Read more

Nuget pack csproj using nuspec -

-
i want create nuget package contains specified in nuspec file, still version csproj. in order use token have pack like: nuget pack myproj.csproj but when adds dependencies , creates unwanted folder in nuget package. nuspec file is: <?xml version="1.0" encoding="utf-8"?> <package xmlns="http://schemas.microsoft.com/packaging/2011/08/nuspec.xsd"> <metadata> <id>test</id> <version>$version$</version> <title>test</title> <authors>test</authors> <owners>test</owners> <requirelicenseacceptance>false</requirelicenseacceptance> <description>test</description> <summary>test</summary> <releasenotes>test</releasenotes> <copyright>test</copyright> </metadata> <files> <file src="bin\debug\*.dll" target="lib\net45" /> <file s
Read more

c# - Display ASPX Popup control in RowDeleteing Event (ASPX Gridview) -

-
i have aspxgridview includes new , delete button. delete button includs gv_rowdeleting event. want show aspxpopupcontrol (id="pupconfirm"). want user have confirm password delete item. tried: protected void gv_rowdeleting(object sender, devexpress.web.data.aspxdatadeletingeventargs e) { pupconfirm.showonpageload = true; } but nothing happened. please me. !!! you can create template column javascript prompt confirmation. <itemtemplate> <asp:linkbutton id="btndelete" runat="server" text="delete" commandname="delete" onclientclick="javascript:if(!confirm('are sure want delete record?')){return false;}"> </asp:linkbutton> </itemtemplate>
Read more