security - How does the addition of a series identifier help in this persistent login implementation? -
original "remember me" login implementation: http://fishbowl.pastiche.org/2004/01/19/persistent_login_cookie_best_practice/
addition: http://jaspan.com/improved_persistent_login_cookie_best_practice
millers original implementation of "remember me" persistent login function easy enough me understand - no problems there.
what's puzzling me though how addition of of "series identifier" in improved version helps - since if "remember me" cookie stolen attacker presents cookie site , can use until original user tries use own cookie - @ point, because credentials don't match, details wiped database , user , attacker "logged out".
until original user attempts use cookie though - can't attacker use stolen credentials?
if understood well, problem miller implementation according jaspan victim doesn't know cookie stolen.the goal display message user saying victim of session hijacking.
as attacker after using stolen cookie receive new 1 new random token, have detect if using old cookie authenticate, detect potential session hijacking.
so jaspan proposes, instead of keeping tracks of old cookies, (permanently) link long, random , unpredictable id user added cookies.
finally instead of detecting old valid cookies, if username , id present in cookie match, , check token. if token not match, username matches id, can deduce cookie once valid , there might session hijacking (or legitimate user using different device :))
this solution not prevent session hijacking cookie stealing, allows warn user @ login session may have been hijacked.
Comments
Post a Comment