I read http://www.codinghorror.com/blog/2008/08/protecting-your-cookies-httponly.html
Log into a website, copy the essential
cookie values, then paste them into
another browser running on another
computer. That’s all it takes. It’s
quite an eye opener.
My question is, does this method also work if we use php/aspnet sessions.
And if it does work, what techniques can we (as web developers) employ to prevent this trick from working. Basically I do not wish the user to be able to login to his account just by pasting cookies, a password is a MUST.
If the above is not possible, does it mean that even for google products like Gmail, I will have some way to login into my account without requiring my password?
sessions are sessions – accomplished by storing an ID token in a cookie. YOu cannot prevent the cookies from being manually copied between browsers.
You can attempt to do things like logging the original User-Agent string when they log in, and compare each time (if they logged in with Firefox, and are suddenly using Opera, hmmMmMmmmmmm). Same for IP addresses… but IP addresses are problematic for mobile users and people behing multi-homed proxy server systems, such as most of AOL and the like. Their IP can potentially change for EVERY request.
There’s no foolproof method of preventing cookie sharing that can’t be bypassed (change your browser’s UA so they ALL claim to be a single type/version), or produce false-positives (IP changes due to proxies).