|
|
Posted by Marcus on 11/14/05 10:10
I have read quite a few articles on "fingerprinting" a user when they
start a session. Chris Shiflett has a good article here:
http://shiflett.org/articles/the-truth-about-sessions
However, this part of his (and all the other similar articles) doesn't
make sense to me.
session_start();
$fingerprint = 'SECRETSTUFF' . $_SERVER['HTTP_USER_AGENT'];
$_SESSION['fingerprint'] = md5($fingerprint . session_id());
"With a fingerprint that is difficult to guess, little is gained without
leveraging this information in an additional way than demonstrated thus
far."
I don't really understand how this is more secure than just feeding
$_SERVER['HTTP_USER_AGENT'] into md5() without the secret seed, but I
must be missing something because everybody that talks about
fingerprinting seems to advocate adding a seed.
I am confused because as far as I can tell, every subsequent request the
user makes really only depends on $_SERVER['HTTP_USER_AGENT']. If an
attacker can successfully spoof this value, what does any of the
secretstuff matter? In order to check that we have a "valid" browser
after the initial saving in the session, we will have to re-supply the
seed and md5 representation after every submission of the user agent.
Given the above code, the only scenario I can envision in which we can
successfully match up this info would be something along the lines of:
$fingerprint = 'SECRETSTUFF' . $_SERVER['HTTP_USER_AGENT'];
if(md5($fingerprint) != $_SESSION['fingerprint'])
{
// prompt for password
}
called on each page, which to me doesn't really add any security since
we are providing what secretstuff is on every page.
Sorry for the length, and thanks in advance.
Navigation:
[Reply to this message]
|