Session Fixation Vulnerability in Web Based Apps
James A. Donald
jamesd at echeque.com
Fri Jun 13 13:52:16 EDT 2003
--
On 12 Jun 2003 at 16:25, Steve Schear wrote:
http://www.acros.si/papers/session_fixation.pdf
Wow.
This flaw is massive, and the biggest villain is the server
side code created for Apache.
When you login to your bank, your e-gold account, your
stockbroker, or your domain registrar, someone else can share
your login.
It is a security design error in the development environments
for active server pages (all of them) . Every such development
environment will have to be changed, and every login script
written for existing environments needs to have some kind of
workaround cobbled into it.
The ideal solution is to change the development environment so
that your session identifier is linked to the shared symmetric
key used in any https conversation during that session, which
requires tight coupling of https and development environments
for active server pages.
In the long term, https must be amended to have a concept of
login and session, and make that sessionID available to the
server side coding environments.
--digsig
James A. Donald
6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
SnDt+rS7QWjKfmo0bTes8RJ5F6sGgF/gULJmRunl
4xIiGoxSbiGMryITmfRKr11XPrglqtpA2RWHUDI+p
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list