Checking the user agent on incoming requests to prevent session hijacking is sort of like putting scotch tape on your door to keep intruders out of your house.
But, it is one little extra barrier that an attacker will have to bypass, so I put it in my code. Then I was playing around on my site in IE8 one day, and just for fun I hit the Compatibility View button. And it broke everything.
Clicking this button toggles the user agent between IE7 and IE8 and thus breaks the whole thing. To make sure the site still works, I've taken the user agent checking completely out of the application.
This still won't allow anyone to hijack a session, because all traffic, including cookies, is sent only over SSL. There are a number of other security features built in, so the scotch tape can come off.
No comments:
Post a Comment