|
|
Posted by Edward Vermillion on 07/08/05 21:59
On Jul 8, 2005, at 1:25 PM, Ezra Nugroho wrote:
>
> Here is one security measure that you HAVE to do if you allow people to
> submit contents to your site.
>
>
> 1. track client's IP.
> 2. Associate sensitive cookies with the IP, if they don't match, ignore
> it or invalidate the cookie.
>
> We may not stop the information redirection.
> We can make the information invalid.
>
Well, yes and no. If the "bad guy" can get the cookie, it's also likely
that he's got all the
information the valid user is sending you too, such as ip, user agent,
whatever...
So he's probably going to send all that along with the stolen cookie,
and the checks
you have will let him in.
All the ip, user agent, etc. checks do is slow down a brute-force
attack. They have to
guess more than one correct value to get in. But that cookie.... that's
the prize.
Edward Vermillion
evermillion@doggydoo.net
Navigation:
[Reply to this message]
|