What happened with the session fixation bug?
Ben Laurie
ben at algroup.co.uk
Fri May 20 18:21:35 EDT 2005
James A. Donald wrote:
> --
> PKI was designed to defeat man in the middle attacks
> based on network sniffing, or DNS hijacking, which
> turned out to be less of a threat than expected.
>
> However, the session fixation bugs
> http://www.acros.si/papers/session_fixation.pdf make
> https and PKI worthless against such man in the middle
> attacks. Have these bugs been addressed?
Do they exist? Certainly any session ID I've ever had a hand in has two
properties that strongly resist session fixation:
a) If a session ID arrives, it should already exist in the database.
b) Session IDs include HMACs.
Session fixation is defeated by either of these. Modulo insider attacks,
of course. :-)
--
http://www.apache-ssl.org/ben.html http://www.thebunker.net/
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list