currently I'm working with cakephp and implementing user management in my project. today, i came across an issue in user session. i have generated a cookie to remember user's password in encrypted format The cookie restores session if users session goes expired. now i have tried transferring cookie to other browser from chrome to Mozilla using a cookie manager plugin. and i have found myself logged in in both browser what is the best way to prevent this. ??
1 Answer
You can't prevent this. However, you can reduce the problem by having a session value generated server-side when the user starts a new session, which is some hash made from
- The session ID
- The user agent (attacker would have to use/spoof the same client)
- Possibly the IP (would only work for fixed devices, but makes it much harder for an attacker)
Now when a logged in user tries to view a page requiring you to be logged in, you can compare more details than just the session lookup.
It's not impossible to spoof, but this reduces the problem. This hash should never be actually sent to the client, just kept in the session information server-side.
2 Comments
Alex
how facebook is doing this ??
Tomáš Aresak Malčánek
Facebook is using Symb-like system to store cookies.
md5($useragent.$ip)at the least, still predictable.md5($email.$hashed_password.$useragent)is a better start.