(keitai-l) Re: Losing Sessions on WAP servlet app

From: Curt Sampson <cjs_at_cynic.net>
Date: 05/30/05
Message-ID: <Pine.NEB.4.62.0505300658040.12360@angelic.cynic.net>
On Sun, 29 May 2005, Paul wrote:

>    To make the session unhijackable on a handset check the Handset ID
> and use it to make the secret code that indicates a session.

Handset IDs can be faked, unless you're also checking the source of the
request to make sure that it's, e.g., one of the known Docomo proxy
servers. As well, note that if you request the handset ID to be sent,
it's going to prompt the user to make sure that that's ok. You certainly
don't want this happening on every page!

A less costly check is just to store other header information, such as
the User-agent, when starting a session, and if that information changes
during the session, invalidate the session. It's not a perfect check,
but it will stop casual (and usually accidental) session sharing when
someone sends a URL to someone else, and will make it a bit more work
for a malicious attacker.

cjs
-- 
Curt Sampson  <cjs@cynic.net>   +81 90 7737 2974

***   Contribute to the Keitai Developers' Wiki!   ***
***        http://www.keitai-dev.net/wiki/         ***
Received on Mon May 30 01:03:06 2005