Hi, All
Sorry, this post might be out of scope of this particular list, but
still... don't punch me heavily :) I just think the people here might
have met this problem while deploying big public applications.
I use Apache::Session to identify logged in users. However, the users
are allowed to post html (obviously with javascript) messages viewable
by others. That could create an XSS vulnerability and allow to steal the
sessions (cookies) from other users.
Is it possible to uniquely identify the user by some attributes ?
The only thing I consider now is IP, but what about proxies and NATs ?
User Agent string could also be stolen via javascript. That means I tend
to make stolen session ids non-reusable.
Any thoughts ?
Sincerely,
Aleksandr Guidrevitch
|