Menu
It is easy to steal session id cookies with javascript functions planted in trusted sites by other users. What are the possible counter-measures for this kind of attack?
Rejecting all javascript scripts on the client-side is probably difficult because almost all sites use js. What are the possible counter-measures on the server-side? Is it possible to include a hash of the client ip-address in the session id value to prevent that a valid session id be used from another host? Does this approach make sense?
In one of the resources mentioned in your valuable answers a solution is proposed where the session id is changed after every request. Is such a feature already supported by the app servers / frameworks? In particular how about Django/python?
768
It's really awkward to do IP to session mapping, because you don't have guarantees that people aren't using proxies, and those proxies could easily change IPs.
The best thing you can do is use SSL, and make your cookies HTTP-only.
187
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
