Facebook Plugin?

Trustmaster	#28048 2011-01-20 20:57
Administrators Thanked: 263 times	FaceBook actually uses HMAC. It protects the auth data from getting sniffed and decomposed. But I need to investigate if it helps from XSS, because an XSS attacker does not decompose anything, he just uses the cookie as it is. Even if does not protect from XSS, it might be a good improvement because it is more reliable than current mechanism based on random session identifiers. Added 26 minutes later: Something what we forgot of: Wikipedia: Another mitigation present in IE (since version 6), Firefox (since version 2.0.0.5), Safari (since version 4) and Google Chrome, is a HttpOnly flag which allows a web server to set a cookie that is unavailable to client-side scripts. While beneficial, the feature does not fully prevent cookie theft nor can it prevent attacks within the browser. We've been using HttpOnly flag for quite long time. So, I think that for most sites ipcheck can be disabled by default and enabled on sites where security is much more important than user comfort (e.g. banking, e-stores, etc.). Another thing to allow logins from multiple devices is using HMAC instead of random session keys (because such random keys are often changed). May the Source be with you!
This post was edited by Trustmaster (2011-01-20 21:32, 13 years ago)

Trustmaster

#28048 2011-01-20 20:57

FaceBook actually uses HMAC. It protects the auth data from getting sniffed and decomposed. But I need to investigate if it helps from XSS, because an XSS attacker does not decompose anything, he just uses the cookie as it is.

Even if does not protect from XSS, it might be a good improvement because it is more reliable than current mechanism based on random session identifiers.

Added 26 minutes later:

Something what we forgot of:

Wikipedia:
Another mitigation present in IE (since version 6), Firefox (since version 2.0.0.5), Safari (since version 4) and Google Chrome, is a HttpOnly flag which allows a web server to set a cookie that is unavailable to client-side scripts. While beneficial, the feature does not fully prevent cookie theft nor can it prevent attacks within the browser.

We've been using HttpOnly flag for quite long time. So, I think that for most sites ipcheck can be disabled by default and enabled on sites where security is much more important than user comfort (e.g. banking, e-stores, etc.).

Another thing to allow logins from multiple devices is using HMAC instead of random session keys (because such random keys are often changed).

May the Source be with you!

This post was edited by Trustmaster (2011-01-20 21:32, 13 years ago)