Paid Advertising is
ha.ckers sla.cking
Q and A on cross site request forgeries and breaking into sessions. It's one of the attacks that XSS enables and the attack of the future. For Session, fixations, hijacking, lockout, replay, session riding etc.... 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Passing sensitive data between forms
Posted by: gcaplan
Date: May 09, 2008 05:35AM

Hi folks

I'm building a form system where I have to pass some moderately sensitive data between forms.

So I have to save the data into the user session in a way that is unlikely to be cracked if the web server is compromised.

Here's the approach I've come up with - is this fairly secure, or am I missing something?

1) For each data value, generate a random encryption key
2) Encrypt the value, using Rijndael-256
3) Store the encrypted value server-side in the session
4) Obfuscate the cookie id via hashing
5) Encrypt and sign the encryption key
6) Store the encryption key client-side in a non-persistent secure cookie
7) In the application, disallow any non-https requests to the form system
8) Sweep the session data regularly, to limit the life of the encrypted values.

The idea is that the encrypted data and the key are never stored in the same place. There is no facility for users to post to the site, so cross-scripting attacks shouldn't be an issue. But even if the cookie is hijacked out of the SSL (a low risk, surely?) or the attacker has direct access to the client, the attacker still has to figure out what the cookie is, hack the server, locate the encrypted values during their short life, locate the decryption password in thousands of pages of code, decrypt the key and then decrypt the value.

Is this sufficient? Is there a better way? Any feedback much appreciated!


Options: ReplyQuote

Sorry, only registered users may post in this forum.