Hi
I might be missing the point but if you already are tracking with
Apache::Session why not encrypt the session id before giving it to the user
in the first place. You could store a public 'key' for the encryption in a
cookie on the users machine. That way only that user can give you the right
info to decode the session. If this sounds reasonable, you may want to
check out Paul DuBois book "MySQL and Perl for the Web" ISBN 0-7357-1054-6.
He outlines a method to encrypt the apache::session id. Mike
----- Original Message -----
From: "Aleksandr Guidrevitch" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: August 14, 2003 6:54 AM
Subject: Apache::Session
> Hi, All
>
> Sorry, this post might be out of scope of this particular list, but
> still... don't punch me heavily :) I just think the people here might
> have met this problem while deploying big public applications.
>
> I use Apache::Session to identify logged in users. However, the users
> are allowed to post html (obviously with javascript) messages viewable
> by others. That could create an XSS vulnerability and allow to steal the
> sessions (cookies) from other users.
>
> Is it possible to uniquely identify the user by some attributes ?
> The only thing I consider now is IP, but what about proxies and NATs ?
> User Agent string could also be stolen via javascript. That means I tend
> to make stolen session ids non-reusable.
>
> Any thoughts ?
>
> Sincerely,
> Aleksandr Guidrevitch
>
