https://wiki.owasp.org/index.php?action=history&feed=atom&title=Securing_cookie_to_one_IPSecuring cookie to one IP - Revision history2026-04-20T14:46:21ZRevision history for this page on the wikiMediaWiki 1.27.2https://wiki.owasp.org/index.php?title=Securing_cookie_to_one_IP&diff=24506&oldid=prevClickfind: New page: '''The idea is to make sure a cookie can only be used by the user who it was intended for.''' In other words, if a hacker gained access to the cookie he/she would not be able to use it. T...2008-01-15T22:26:52Z<p>New page: '''The idea is to make sure a cookie can only be used by the user who it was intended for.''' In other words, if a hacker gained access to the cookie he/she would not be able to use it. T...</p>
<p><b>New page</b></p><div>'''The idea is to make sure a cookie can only be used by the user who it was intended for.'''<br />
In other words, if a hacker gained access to the cookie he/she would not be able to use it.<br />
<br />
The following code samples are for ColdFusion MX, but the principle can easily be used in other languages.<br />
<br />
1. when the user starts a session, set a cookie named "hash" with a hash value of the remote IP address and a secret string, for example "s3cr375tr1ng"<br />
<br />
2. upon each following request made, the application checks whether the cookie still exists, and whether the value still matches the remote IP<br />
<br />
If the values do not match, then you'd delete the rest of the cookie values and require them to be reset.<br />
<br />
'''Now for the ColdFusion code'''<br />
<br />
We're assuming you're using jsessionid because they expire when the browser closes, and ColdFusion MX<br />
<br />
In onSessionStart we set the following cookie<br />
<br />
<cfcookie <br />
name="hash" <br />
value="#hash( cgi.remote_addr & "s3cr375tr1ng" )#" <br />
domain=".clickfind.com.au"><br />
<br />
In onRequestStart we have the following code<br />
<br />
<cfif compareNoCase( cookie.hash, hash( cgi.remote_addr & "s3cr375tr1ng" ) ) neq 0 ><br />
<!--- IP is not the same anymore, do what needs to be done here ---> <br />
</cfif><br />
<br />
The above idea was created to secure [http://www.clickfind.com.au www.clickfind.com.au], but we like sharing ;-)<br />
If you have any improvements or suggestions, please do let us know [http://www.clickfind.com.au/contact-us.cfm contact us]</div>Clickfind