

Ask HN: Session stealing prevention, possibly naive idea - swah

Went to learn a little bit about web security after the posts about Firesheep (I know the problem is old but I'm new to web development).<p>I'm wondering if the idea outlined below would make session stealing a little harder. I'm probably missing something, so would love if you could tell me where I'm wrong.<p>Server would send a new cookie with each request, suppose it is a sequential number which is the only number accepted by the server for the next request. When the session is stolen, the attacker uses the valid number, incrementing the server counter. The original client then tries to use it, but the counter is now invalid, so he is logged out and has so start all over again. Attacker is also logged out.<p>Of course this would fail when the client just stops using the website and the attacker continues using it...
======
Travis
This is close to a common solution seen in authentication and access control
components in web frameworks. I'm currently in CakePHP, so I'm looking at it's
security component. It has a security level that you set in your app, to low,
med, high. If it's set to high, the session is regenerated with each request,
meaning that the session hijacking probably won't work.

However, it gets complicated when you look at the following situation: user
authenticates, gets session id of 1234. attacker steals cookie, now has
session id 1234. \---- next request comes in, session is regenerated by the
server. Next request comes in with session id of 1234 (invalid). Server
recognizes this and invalidates all sessions for that user id (1234 and the
new one). Have to invalidate all of them, because you don't know which is the
valid browser request.

That's all well and good. But it will also log out any other browser that I
had logged in. In effect, it will annoy your users and greatly degrade the
usefulness of the "remember me" cookie.

Is it worth it for your site? Tough to tell. But it will prevent your users
from staying logged in across multiple browsers, which is something to take
into account. Probably worth it for protecting my bank account (if they didn't
use SSL and many other security measures). Probably not worth it for
protecting my Pandora mixes.

------
mooism2
Another problem is what happens when a legitimate client is using an
unreliable network link. A certain proportion of requests will result in the
server advancing the counter, but the connection being broken before the new
cookie is received by the client. This will result in the client being logged
out, even without an attacker.

