Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Auditing user session activity

from [Antonio Varni] Network Security [Permanent Link]
Subject: Re: Auditing user session activity
Date: Fri, 8 Oct 2004 11:35:02 -0700 
As long as you are ok with your session information leaking out
through the referrer field after the user clicks off site.


On Wed, 06 Oct 2004 13:04:46 +0300, tie <tie@ankh.morp.org> wrote:

Hi Jeffrey,

The easiest way for you to go would be to start using URL (i.e. not
cookie based) sessions. In this way, you will have the Session ID track
inside your web server log file.

Then, in your login script you will just have to record username and
SID, upon successful login.

In this way, you can match the lines from the web server log against the
usernames recorded by your  login script.

Regards,
tie



Koniszewski, Jeffrey wrote:


We are being asked by our customers to audit session activity so that 
customers can answer the question, "Who is doing what?". Our current 
implementation for this is to write audit records to the database. However, 
I am having some second thoughts about this. This requires a database hit 
for every non static URL access to the system. I'm not sure of the overall 
runtime performance impact. Further, for enterprise class customers the 
audit records are likely to exceed 2G per month. This creates a lot of data 
cleanup to manage. In addition, reporting on this data may require a lot of 
overhead from the system. Any thoughts on likely retention policies for such 
audit data?

Users must log in to our application and we maintain session state. We do 
integrate with Single Sign On products like Netegrity.

I am rolling around a couple of ideas:

One is that session audit is not a primary application problem and not 
application data. Can this capability (session audit) be delivered by an 
external application (IDS?, SSO product?) that is dedicated to do this type 
of work. Then the customers that want the capability install it, probably 
get a more professional implementation, and use it for other applications as 
well. What security applications can provide this type of audit? Web server 
logs can provide URL access information but don't know users. It seems that 
whatever writes the audit would need to manage user logon as well to be able 
to associate the user with the activity.

The second idea is,  would I be better off using a file for the audit 
information? This introduces a bunch of file management headaches in a 
multiserver system but takes a load off the database, which is already our 
bottleneck.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Auditing user session activity, Leigh Morresi
Next by Date:  Re: Web Forms filtered with SQL constraints, yahoouec
Previous by Thread:  Re: Auditing user session activity, tie
Next by Thread:  Re: Auditing user session activity, Matt Fisher
Indexes:  [Date] [Thread] [Top] [All Lists]