authentication - Password security in sessions -
instead of stroing plain text passwords, use strong hashing function high computation cost , random salt thwart rainbow attacks etc.
but when user in session, typically or username stored along hash of password cookie authenticate sesssion. if user's browser cookie space compromised, doesn't attacker obtain easier target of cracking username+ session hash, instead of username + pass hash?
in django example, passwords hashed pbkdf2 or bcrypt, session hashes use less complex hmac , no random salt. security issue? if yes, right way handle sessions?
for each session, suggest use dedicated sessionid - random long 128bit value. and, keep session key as:
username:sessionid:hash
where
hash = sha1(sessionid|username|client_ip|secret_server_side_password);
every time, when receive cookie, need again compute hash, , compare received one.
as result, cookie useless after session closed (mismatch sessionid). moreover, if cookie stolen active session, server can figure out attack stolen cookie computer, because of client_ip real client different actual client_ip.
of course, if clientip changed, session automatically disconnected.
alternative - using authentication system, based on client's ssl certificates, example - emcssl.
Comments
Post a Comment