Security with sessions
Posted: Tue Oct 01, 2002 5:28 am
Hi!
I've developed a loginscript that works similar to an NT challenge/response authentication with the main feature of never sending the password over the network. The script is supposed to cover the section for those who want to have something more secure than basic authentication but do not want to run SSL. Therefore I'm investigating how secure my script is. I'm using sessions to maintain state with the client.
I know that it is quite easy to sniff tcp traffic and that it is not very hard to find a session cookie going to someone on the network. However, is it possible for an attacker to set that cookie by himself in order to hijack a currenctly logged in user? I figured it would be easy if the cookie was stored in a txt-file, but since the session cookies do not expire until the client is closed, they're only stored in the client memory, so can you set a session cookie manually in order to hijack a session?
Regards,
Anders Fredriksson
I've developed a loginscript that works similar to an NT challenge/response authentication with the main feature of never sending the password over the network. The script is supposed to cover the section for those who want to have something more secure than basic authentication but do not want to run SSL. Therefore I'm investigating how secure my script is. I'm using sessions to maintain state with the client.
I know that it is quite easy to sniff tcp traffic and that it is not very hard to find a session cookie going to someone on the network. However, is it possible for an attacker to set that cookie by himself in order to hijack a currenctly logged in user? I figured it would be easy if the cookie was stored in a txt-file, but since the session cookies do not expire until the client is closed, they're only stored in the client memory, so can you set a session cookie manually in order to hijack a session?
Regards,
Anders Fredriksson