measure:
Before the session id is POSTed to the receiving server, I will create
a token (via md5(uniqid(rand(), true))). This token will be saved in a
separate database table along with the current user's session id and a
datetime value set 30 seconds into the future (i.e. the token
expiration). When the receiving server receives the POST data, it will
first lookup the POSTed session id in the cake_sessions table and
verify the user agent and IP address. If successful, it will then
lookup the token and expiration date and verify that the POSTed token
matches the token in the database, and that it has not expired.
This will create one extra layer of protection in the event that an
office worker spies on his co-worker's computer to obtain the session
id from the cookie stored on the victim's PC. Even if the attacker
obtains a valid session id in this way, he would still need to POST a
valid token (i.e. one that's in the secondary table) from his
hijacking form which will be nearly (if not completely) impossible to
do. Additionally, he would also need to do this within 30 seconds of
the token generation. Of course, user agent and IP address have to
match first, but that's easy to get around especially in an office
network.
On Oct 2, 9:49 am, etipaced <kevindecap...@gmail.com> wrote:
> I'm using Cake 1.2 to build an app that will require a user to
> maintain their session state across multiple domains. I'm not talking
> about subdomains (i.e. tertiary1.domain.com and tertiary2.domain.com),
> but two explicitly different domains altogether (i.e.www.mydomain.com
> and secure.your-domain.net, etc.). I've done a fair amount of research
> and have decided on the following method:
>
> - Use database sessions (obviously)
> - Pass the session id from one domain to another via POST
> - Use a controller action to manually POST the session id to the other
> domain (to avoid using a hidden form field)
> - The POST will take place via an SSL connection
> - On the receiving server, simply read the POSTed session id and set
> it, thus restoring the session for that user
>
> I'm asking if this is a safe, secure and reliable method for
> maintaining session state across domains? It makes sense in my mind
> but I may be missing something. This method should prevent the session
> id from EVER being readable by anyone other than the sending and
> receiving domains (especially since I'm passing via SSL).
>
> This should prevent log file tracking of the session id from passing
> via GET (since I'm not using GET), no caching of the hidden form field
> on the user's browser, and no hijacking of the session unless someone
> creates their own form, guesses an active session id, and then POSTs
> to the receiving server. However, I can perform additional checks on
> the receiving server to make sure it's the same user (verify user
> agent [Cake does this automagically], and verify IP).
>
> Just wanted to get some feedback, criticism and/or support before I
> implement this in my app. Thanks for reading!
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to cake-php+unsubscribe@googlegroups.com
For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
-~----------~----~----~----~------~----~------~--~---
No comments:
Post a Comment