Session steganography idea

Quick idea I had the other day. Session ID tokens are typically short strings of seemingly random characters. While they don’t typically change all that much during a session, it’s good practice to change the session ID every so often to help prevent against security attacks. If someone was to periodically change the session ID, and hide a short message in the ID values such that, when strung together, the message could be extracted, would that be a useful way of transmitting data in a hidden manner? I’m not sure of how much info you could reasonably hide in a series of short session IDs, but it seems like this would be possible.

I'm currently working on a book for web freelancers, covering everything you need to know to get started or just get better. Want to stay updated? Sign up for my mailing list to get updates when the book is ready to be released!

Web Developer Freelancing Handbook

Share and Enjoy:
  • DZone
  • Facebook
  • Reddit
  • StumbleUpon
  • Digg
  • Simpy
  • Technorati

{ 5 comments to read ... please submit one more! }

  1. Aleksandar Jevremovic

    Main idea behind steganography is to hide something small in something big. I don’t find session id big enogh to >hide< something in it.
    However, idea is interesting if you need to synchronize server and client without using additional parameters.

  2. If you have, say, 100 requests, that’s 100 potentially different session IDs that could be exchanged, which might be 3200 characters, which should be enough to hide a small amount of data, which was my original thought (but I probably didn’t express it very well).


  3. Excuse me but cant see any point in this.

    Can you provide some reasoning please?

    Why would you want to change session id all the time to pass some bits across in hidden fashion? Who would be reading this data?

    I did not get the idea at all.

    You wont gain much security by obscurity and you can break your app easily.

  4. Why do people hide messages in pictures? It’s just another channel to communicate over (albeit rather slowly) but would ideally not be something that would be looked at. Assuming someone would be sniffing your traffic, they may not consider looking at the http headers as much as the actual payload, and if the data was split up (and hidden) over multiple requests, it would be much harder to even notice.

  5. @art

    “You wont gain much security by obscurity and you can break your app easily”

    Not sure at all what you mean by this?

{ 0 Pingbacks/Trackbacks }

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong> <pre lang="" line="" escaped="">