php - Preventing facebook session hijacking
I'm building a financial services web application and my company wants to incorporate facebook authentication into it. Because we're in the finance world, security is paramount. I'm using the facebook PHP SDK for integration, but I'm really concerned about session hijacking. In my college days I would session hijack the crap out of everyone around me (which was great fun), but I'm trying to find a way to prevent this with my application.
My company wants the authentication process as streamlined as possible, so that means something like two-factor authentication is not desirable. But prompting the user for another piece of information AFTER facebook login seems to be the most secure way of doing it. I'm wondering if any of you clever people can come up with some other way of securing this while keeping the entire process simple and quick?
Answer
Solution:
Another piece of information is only useful if P(attacker-has-extra-info | attacker-hijacked-session) is low.
If you can use a complicated second factor the first time they interact (or interact in a security sensitive way) with you and then remember the machine from which they connect to skip the second factor on subsequent visits, then you can get streamlined interaction in general.
Asking for something like their balance on their last statement to authenticate a device for the first time might be a good second factor -- it would prove that they already know something that is presumably privileged related to that account.
Alternatively, sending a text with a random number to a mobile device associated with the account can act as a second factor assuming they are not connecting from that device.