what techniques should we use to prevent auto-login by pasting cookies?

Question

I read http://www.codinghorror.com/blog/2008/08/protecting-your-cookies-httponly.html

Log into a website, copy the essential cookie values, then paste them into another browser running on another computer. That's all it takes. It's quite an eye opener.

My question is, does this method also work if we use php/aspnet sessions.

And if it does work, what techniques can we (as web developers) employ to prevent this trick from working. Basically I do not wish the user to be able to login to his account just by pasting cookies, a password is a MUST.

If the above is not possible, does it mean that even for google products like Gmail, I will have some way to login into my account without requiring my password?

Answer 1

sessions are sessions - accomplished by storing an ID token in a cookie. YOu cannot prevent the cookies from being manually copied between browsers.

You can attempt to do things like logging the original User-Agent string when they log in, and compare each time (if they logged in with Firefox, and are suddenly using Opera, hmmMmMmmmmmm). Same for IP addresses... but IP addresses are problematic for mobile users and people behing multi-homed proxy server systems, such as most of AOL and the like. Their IP can potentially change for EVERY request.

There's no foolproof method of preventing cookie sharing that can't be bypassed (change your browser's UA so they ALL claim to be a single type/version), or produce false-positives (IP changes due to proxies).

Answer 2

Well, as a creator of a software that can capture any cookie over HTTP successfully, if you want security, there are a few tips:

-Use HTTPS when possible to prevent OTHERS to capture that cookie first.

The answer to your question: there is no one concrete way. You can make it harder, which will also make your job (and your server's) harder.

-Expire the cookies after some short time at the server side, so even if the user copy pastes the cookie, it just won't be a valid one.

-Save some metadata with a cookie too, such as remote IP and user agent string or some other headers.

These are the best and most straightforward tips you can use, but just have in mind that an experienced user can overcome most of these problems. Just don't leave anything about the security to client side, finish it at the server side as a golden rule.