WingNews logo WingNews
top | item 5520624

(no title)

samarudge | 13 years ago

Would it increase security to include the user-agent, or part of the user-agent, in the HMAC secret? So the secret was "abc123Mozilla[etc]", that would then presumably require identical browsers to work, at the expense of logging everyone out every time their browser updates. Or include all, or part of the IP address to restrict the network.

discuss

order

X-Istence|13 years ago

Using the IP address to restrict it would work, since now the attacker would need to have the same IP address to get a session that will stick, but this may cause users to be logged out when their ISP changes their IP, or when they move from home to a coffee shop for instance.

0x0|13 years ago

JS can get at that with "navigator.appVersion"