5

In the system that i'm working on, we are having some session cookies on the client side that we need to protect against the replay attack ! So I find the following paper http://www.cse.msu.edu/~alexliu/publications/Cookie/cookie.pdf from this question Secure Session Cookies. I really like the way that they put things together. There is only one problem with this and that is the use of SSL session key (this is used for anti-replay purpose). I have some problems to get this parameter in my code (we use .Net framework and the server is running on IIS7.0). So I was wondering whether anyone has implemented this method for his/her system and whether you have a suggestion on replacing this parameter with another one.

Thanks

Community
  • 1
sgres
  • 129
  • 2
  • 8

2 Answers2

2

I have used mod_auth_tkt, which uses a very similar scheme.

I would suggest very careful consideration before use of the SSL session key: the user (application) session, TCP/HTTPS connections, and the SSL session ID and key are all distinct things. They don't necessarily have the same lifetime.

Further, reusing or repurposing cryptographic material is usually frowned upon (though I can't say that's there's definitely something wrong with its use in a HMAC, the problem is determining the opposite).

In the case of a conventional browser/web app, this sort of scheme can have immediately evident problems, e.g. when browser tabs don't share state.

What you have authenticated is a browser "state", tying it to anything else (SSL state or IP address) is fraught. Tying to SSL Session ID is more common (though has a history of MSIE problems). One of the better ways to achieve this is through the use of client certificates, not trivial to implement and manage of course.

See this for many more considerations: https://www.owasp.org/index.php/Session_Management and (now complete) RFC 6896 Secure Cookie Sessions (draft linked to in the accepted answer to the question you link to) has a section devoted to replay issues.

Community
  • 1
mr.spuratic
  • 7,977
  • 26
  • 37
  • Thanks for your answer, it really helped. I wanted to vote up you answer but I don't have enough reputation ! – sgres Sep 16 '13 at 09:56
1

A more secure strategy is to build an application where it is very difficult to obtain the session id in the first place. Set the Secure and HTTPOnly flags on the cookie value. Eliminate XSS, CSRF and Clickjacking vulnerabilities in the application.

rook
  • 47,004
  • 10
  • 94
  • 182