Anonymous sessions should try to prevent session-stealing
|Reported by:||Owned by:||Adrian Holovaty|
|Severity:||normal||Keywords:||sessions, security, authentication|
|Has patch:||no||Needs documentation:||no|
|Needs tests:||no||Patch needs improvement:||no|
If a user can sniff (or guess) a session id, they can take over a user's session.
The simpler types of attempts to steal sessions can be prevented by gathering as much information as possible about the client when creating a session, and then verifying that that information hasn't changed on subsequent requests. If it has, it should log a warning and log the user out. A hash of REMOTE_ADDR and, if it exists, PROXY_FORWARDED_FOR is commonly used to prevent replay attacks like this.
This is easy enough to implement in the application, but it should probably be built into the framework. A way of providing page tokens/nonces would also be useful, and this could be used to avoid sending session tokens to the client entirely.
Though this technically an RFE, I'm submitting it as severity normal, because the easiest way to do sessions should be secure by default.