| 4.5 Problem Manager
03 Session Cookie | |
|---|
| 4.5.03 Session Cookie | | Session cookies can be a thorn in the side with they do not work as expected and they are totally avoidable. Rather the build technology that totally relies on cookies that may become vulnerable because criminals know how they work, the best solution is to avoid using session cookies | | Session cookies demand that browser settings enable these files to be written to a users device. Where CHF URL techniques are employed, then session cookies can be replaced with a server-side file (or table) where the session key is part of the CHF URL. |
| Theory: | | A session file (or record) exists with a one hour life to be refreshed by each user request. The CHF URL holds the session key to enable all other session data to be held on the server in a file. | | WDID is simply the archive of all session requests. | | Session file name includes YYMMDDHHMMSS so a quick scan will identify those sessions that are more than one hour old and have expired. Yes the date is obsolete as we do not expect to support sessions across a date boundary. | | WDID file name includes YYMMDD to archive all session records by date. |
| Procedure: | | When the home page is requested then URL parm is empty and a new session file is created with the key hidden in all subsequent CHF URL strings. Every CHF URL contains a session key and the web page (WPG) primary key . | | When a CHF URL is input the session key and WPG keys are decoded. The WPG record is selected by pkey and the session data selected by key as file name. | | The session file is a long string using vertical bars between fixed place variables that can be exploded into an array with field numbered keys such as $ses_info['c21']. The session must include the UAS primary key - this can be used to get UAP and UAS data by primary key. |
| Strategy: | | Security can be improved by not following what everybody else does in certain controlled areas. | | 1. URL parameter manipulation can be totally avoided by using a CHF URL that cannot be manipulated without the change being identified. | | 2. Session cookies have caused issues, can become a risk and can be totally avoided by using secure server session files. |
| CHF URL: | | Cryptographic Hash Function URL is a means to make and decode a long string of digits as the single URL parameter. | | Public page URL contains: | | 1. Session key as 8 digits that may not be used. | | 2. WPG key as 8 digits that provides the target web page | | Private page URL contains: | | 1. Session key as 8 digits that can then include signed in session data. | | 2. WPG key as 8 digits that provides the target web page | | 3. UAS key as 8 digits used to access UAS, UAP and UAD data | | CRM page URL contains: | | 1. Session key as 8 digits that can then include signed in session data. | | 2. WPG key as 8 digits that provides the target web page | | 3. UAS key as 8 digits used to access UAS, UAP and UAD data | | 4. Keys as primary key and keys 04 to 13 | | 5. Search as History page, list page, field number, filter-a number of code, filter-b number and code |
| Search CRM URL: | | Because it is a business requirement to search more than one window at the same time, the following data must be in the URL for each window. | | 1. History page number - 2 digits | | 2. List page number - 2 digits | | 3. Field number - 2 digits | | 4. Filter-A Field number - 2 digits | | 5. Filter-A code 3 to 6 digits | | 6. Filter-B Field number - 2 digits | | 7. Filter-B code 3 to 6 digits |
| Key CRM URL: | | Because it is a business requirement to process more than one CRM window at the same time, all key data must be part of the URL links within each CRM window. | | 1. Primary key - 8 digits | | 2. 03 to 13 symbolic keys - 88 digits |
| CHF URL: | | Session cookies exist because critical session data cannot be held in the URL. But with the advent of CHF URL strings that cannot be changed without detection, a session key can become part of the URL. The session key gives access to a specific file containing any number of secure session fields - just like session variables. |
| Old Session Data: | | 1. SESSION_SITE_KEY when signed in or site switch as UAD pkey. | | 2. SESSION_SITE_NAME when signed in or site switch. | | 3. SESSION_USER_KEY when signed in as UAP pkey. | | 4. SESSION_USER_NAME when signed in. | | 5. SESSION_USER_ROLE when signed in or UAS pkey. | | 6. SESSION_USER_WELCOME page number to begin signed in session. | | 7. SESSION_USER_REQUEST counter when signed in. | | 8. SESSION_USER_THEME config public and private use. | | 9. SESSION_USER_STAT as access active or inactive or other data. | | 9b. SESSION_USER_QUAL as access to data quality. | | 10. SESSION_USER_DEBUG as switch. | | 11. SESSION_USER_PDOS as signed in flag but may not be needed. | | The following should be global variables or are obsolete... | | 12. SESSION_USER_LANG - not used - language is selected as needed. | | 13. SESSION_USER_SITE implies c03 but not used. | | 14. SESSION_USER_HANDLE - obsolete. | | 15. SESSION_USER_MAIL - not needed. | | 16. SESSION_USER_MODE - not needed. | | 17. SESSION_USER_CLAIM - not needed. | | 18. SESSION_USER_LAST last sign in date for information only. | | 19. SESSION_USER_SOFF last signed off date for information only. |
| Old Extended Session Data: | | The following should be global variables... | | 1. NUMBER as current data for WDID and other functions. | | 2. FUNCTION as current data for WDID function. | | 3. SUBJECT as current data for WDID function. | | 4. SIN-MESSAGE as message to page after sign in error. |
| Sign in by email link: | | For some people, sign in is a traumatic experience to be avoided, but in many cases the trauma can be avoided by using the permannt cookie and private email. | | Where a user is identified by their permanent cookie showing their user handle and email address on the sign in page, then an optional topic will show an "authenticate" icon. The user can press the "authenticate" icon and then close their browser. A secure email is sent to the users email address with a link that must be used within 5 minutes to cause them to sign in. The user simply clicks the email link within the assigned duration and they are signed in to the welcome page without needing to remember their pass phrase. | | If the email is hijacked and the link is clicked it will fail because the link can only be used by the named person with a permanent cookie on their local computer and the link will only work for a few minutes from when it was requested. This email mechanism is independent of the normal sign in procedure that continues unchanged. |
| Overview: | | 1. Session cookies are a legal contract between an approved person and the data processor (ASP) that the approved person is responsible for all data changes until the approved person signs off. | | 2. The legal contract is manifeswted as a session cookie that is written to the approved persons computer by sign in and is deleted by sogn off. | | 3. The session cookie is a 32 character key that is part of every transaction sent by the approved persons browser. | | 4. If the approved person closes their browser, the seccion cookie is deleted and they must sign in to create a new session cookie. | | 5. The approved person may have more than one browser, each with its own unique session cookie that is independently active until sign off. |
| Threat: | | 1. Session cookies are an international standard shared by all browsers and so the inner working are fully understood by criminal agencies. | | 2. It is practical for a criminal to access an approved persons computer and view the browsers session cookies. Network shares are being disabled because they enable anybody on the same network to view the session cookies used by other people. | | 3. The criminal can copy the session cookie to their own machine and then impersonate the approved person with fake transactions that look like they are from the approved person. | | 4. When the approved person signs off, the session cookie becomes invalid and cannot be used by a criminal, so it is very important to sign off to prevent criminals using a session cookie long after an approved person has left. |
| Solution: | | 1. Session cookies were good enough for twenty years but are no longer good enough and extra layers of protection are mandated. | | 2. Fingerprinting is an extra facility that is used with session cookies to improve the legal contract as: | | 3. When an approved person signs in from a unique computer, that persons computer is responsible for all data changes until the person signs off. | | 4. Not only must the session cookie be valid, but the fingerprint of the computer hardware and system software must also be identical. When a computers operating system is upgraded from version 1608 to 1609, then the fingerprint is changed, the session is ended and the approved person must sign in. | | 5. When a criminal steals a session cookie, that session cookie cannot be used by a different machine with a different fingerprint - the criminal impersonating the approved person is instantly identified and blacklisted. | | 6. Fingerprinting has proved to be so good that they may indicate what session cookies may become in the future. The new standard is that only the unique computer that signed in can make requests until that same computer signs out. | | 7. Fingerprinting is a trade secret that accumulates a large number of different hardware and system software characteristics in a way that criminals cannot impersonate. Because the fingerprinting function evolves each day, criminals may not have time to discover a means to impersonate all characteristics of a unique computer. |
| Evolution: | | 1. Sign in with session cooies were a solution to the Microsoft one-per-desk era that is being replaced by the mobile device era. | | 2. Mobile devices are personal where physical ownership is 90% of the law and a short access code is good enough to foil a thief. | | 3. The current set of personal applications enable people to sign in for months at a time, rather than daily. | | 4. In the event that the mobile device is lost or stolen, it can be remotely disabled in a moment making it worthless. | | 5. While millions of seamingly identical mobile devices may exist, each mobile has a unique fingerprint of applications enabled and disabled, of operating system facilities enabled and disabled and of images and colour themes. | | 6. The possibility that a criminal could steal a session cookie and impersonate an approved persons mobile device with an identical fingerprint is very unlikely. | | 7. For the next decade: | | (a) one-time pass-phrase to sign in for the first time by an approved person to register a new computing device. | | (b) sign in duration may be automatically continually renewed where the computing device is used every day. | | (c) a short access code periodically entered to confirm that the approved person still owns the computing device. | | (d) support self-service facility to cause a computing device to be disabled when it is lost or stolen. |
|
|