From Defcon conference i found these solution for Session attack.
• Prevent XSS
• Use a different SID generation method
• IP Address check implemented with SID generation and
• Use hash of IP as part of SID generation
• Authentication takes place by regenerating SID and comparing
It may not give us the full proof security but we can make some modification in it to achieve our goal against session attack , like pool of algo’s for generating SID + hash of token id + hash/encrypted algorithm code etc.
what is your opinion about this solution?
The aim of this project is to provide effective real-time Web application security. Web which was once supposed to be a simple document exchange mechanism, has now become imperative and ubiquitous. Information flows are increasingly embedded into Web applications, making them extremely valuable, thus an attractive target for hackers and necessitates protection. Existing security solutions fail to provide comprehensive level of security.
SWAF, a Semantic based Web Application Firewall, introduces an innovative concept of utilizing semantics for detecting and preventing attacks against Web applications. It is a PCI compliant cutting edge technology capable of performing real-time content filtering on the basis of rules generated using application, protocol and attacks semantics. The system significantly improves attack detection, thus providing protection against known and unknown attacks. It is engineered to deliver performance and efficiency.