Re: [Full-Disclosure] defense against session hijacking

[Jakob Lell <jlell@JakobLell.de>]

On Tuesday 18 November 2003 14:18, Jason Ziemba wrote:
> I'm not going to claim that my method is fool-proof, but..
> If you are using sessions on your site then you should have the ability to
> track the movement of a user through-out your system.
>
> If you record the last page the user was on (with a specific session-id)
> and then check the referrer server variable on their next hit.  Compare
> the referrer to their last known page.  Most of the time (depending on the
> complexity of your site) the referrer and last known page should match.
> If their session is 'hijacked', odds are the 'hijacker' will not be
> following in a valid user's footsteps, more likely they will just be
> coming at the server with rogue data.  The referrer check won't match and
> thus the validity of the session request is also void.

Hello,
if you open a link in a new tab or a new window and then open a link in the 
original tab/window, this check will fail and thus lock out legitimate users. 
Furthermore, it won't really help to improve security as the referer header 
can easily be spoofed.
Regards
 Jakob

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html