anti-replay attack for secure cookies?
In the system that i'm working on, we are having some session cookies on
the client side that we need to protect against the replay attack ! So I
find the following paper
http://www.cse.msu.edu/~alexliu/publications/Cookie/cookie.pdf from this
forum
http://security.stackexchange.com/questions/7398/secure-session-cookies. I
really like the way that they put things together. There is only one
problem with this and that is the use of SSL session key (this is used for
anti-replay purpose). I have some problems to get this parameter in my
code (we use .Net framework and the server is running on IIS7.0). So I was
wondering whether anyone has implemented this method for his/her system
and whether you have a suggestion on replacing this parameter with another
one.
BTW, I know that server side sessions are more secure than client side
cookies, but my team currently prefers cookies than sessions.
Thanks
No comments:
Post a Comment