HashCookies - A Simple Recipe
-
John Fitzpatrick - 7 May 2009
Since HTTP is stateless it utilises sessions in order to track a user’s state when using web based applications.
Several vectors which exist which could permit an attacker to gain access to a user’s session and so could result in compromise of the users account or other sensitive information.
The use of a changing and expiring session ID can enable a user’s session to be protected from a number of attacks. By transmitting a random salt to a web browser the web browser is able to use this salt in order to generate a new cookie by hashing information which only the web browser and web server know; this cookie is a HashCookie.
Provided the salt is protected during the initial exchange, or an attacker is not in a position to intercept this communication, then in all instances even if an attacker is able to obtain a valid session ID for a user of a web based application the use of HashCookies would provide them no leverage over the user’s session. Implementation requires HashCookie support from both the web browser and web server.