Gathering session cookies with Firesheep
Posted Nov 4, 2010 3:19 UTC (Thu) by JohnLenz
Parent article: Gathering session cookies with Firesheep
Since this situation is so common, it would be nice if the browsers would implement some sort of optional HMAC-SHA1 digest you could use on cookies. So in a SSL connection you could have the server send a cookie (containing the session id) plus and a shared secret key. Then everytime the browser sends a request, it sends the cookie, a sequence number, and the HMAC digest of the cookie plus sequence. You could send this over an unencrypted connection. No replay attack would be possible because the sequence number has been used and the attacker can't create digests. A single HMAC-SHA1 calculation would be less work than a full SSL connection on the server.
to post comments)