[Zope] CoreSessionTracking: Brute-Forcing Web Application Session IDs

Frank Tegtmeyer fte@lightwerk.com
27 Nov 2001 16:43:14 +0100


"Chris McDonough" <chrism@zope.com> writes:

> OK, so do you recommend that I just use a shared secret string to
> obfuscate the session id?

Yes, I think that would be sufficient. The secret would be generated
during creation of the SessionId manager, either by asking the user
for some secret or by getting it from the system (/dev/random on Linux
for example). When asking the user a long default value could provided
so that the user only has to change it (seeing a good random example
is easier than to create one from scratch).

> I suppose I could just use the rotor module

Yes, that's a possibility.

> Or do you think I should use dates/times and IP addresses as part of
> the string, rejecting session ids from machines that don't match the
> IP address encoded into the sid and date/times that are too long
> ago?

I would avoid IP addresses because session users can come from
different sources legally. Timestamping would be a good thing in case
session Ids are kept somewhere in URLs (search engines, proxy-Logs,
...).

> Note that I believe there will be some cost involved in terms of
> documentation and support if this is the case.  Sessions often just
> won't work due to proxy server banks that prevent users from appearing
> to come from the same IP address across requests.

Exactly.

> In any case, if anything like this goes in, this will be a feature of
> a sessioning system after Zope 2.5 and will not ship with 2.5.

Oh, don't feel any pressure ... it was only a suggestion, not a demand
:)

> Thanks Frank!

Thanks too, Chris.

Regards, Frank
-- 
CTO   fte@Lightwerk.com         http://www.Lightwerk.com/
Fax: +49-2434-80 07 94           Phone: +49-2434-80 07 81
Lightwerk GmbH * An der Kull 11 * 41844 Wegberg * Germany