Results tagged “security”

I've run into the nasty problem that Chrome Frame causes to session handling code that uses the user agent in its security. There are applications that use the user agent string in a hash that sets the signature of a session. Each time the session is loaded using that key, the signature is checked. This catches some session hijacking attempts. Let's assume that an attacker is able to obtain a user's session key and then uses it. There is some probability that the user agent will be different and the attack will fail. It's a layers of security approach - it doesn't prevent the attack but makes it harder. Of course, if the attacker sniffed the session key, the attacker also has the user agent. If the attacker obtain the session key from the user's computer, the user agent was available there also. So you can see that it is not much of a security feature.

There are web applications that use this and this is where Google's Chrome Frame browser addon for IE comes into play. This extension changes the user agent based on the type of data requested and the method of the request. These user agent changes result in the signature check to fail and the session is regenerated (and the user is logged out). Depending on the site and content, this can appear to be almost random or it can be very consistent (log in, log out, log in, log out...).

The solutions are to either drop this security feature or filter the chromeframe string out of the user agent.


Recent Comments