First of all, this is not about preventing cookie stealing, this is about making cookie stealing useless! (Stolen cookies will have no use at all!)
For secure purpose, browsers need an encryption option based on browser's Unique Id, see the demonstration below and comment what you think about it:
- Every time at browser execution, an "Unique String Hash Id" is generated based on the browser "compilation random code" and several system info! (Compile_Random_Code + OS name + user name + browser name + devices mac address + etc + ...)
- The above "Unique String Hash Id" will be used for many situations, cookies encryption, for example. Before sending an encrypted cookie to the server, the browser must decrypt it first with the "Unique String Hash Id"
- Since every browser have a different "Unique String Hash Id", it means that if encrypted cookies from one browser are stolen and are about to be used in another browser, they will not work because the decryption key will be different than the encryption key.
Note that, it will not even be necessary to send the browser "Unique String Hash Id" to the server because all the encryption\decryption process occurs in the browser itself.
The browser "Unique String Hash Id" can be used to encrypt and store important returned values from server in javascript variables as well, and the values can only be decrypted while being sent back to the server.
The way "cookies, session id, local storage, etc" currently work are really not secure, what do you think?
No comments:
Post a Comment