Session Fixation Vulnerability in Web Based Apps
tom st denis
tomstdenis at yahoo.com
Fri Jun 13 14:16:26 EDT 2003
--- "James A. Donald" <jamesd at echeque.com> wrote:
> --
> On 12 Jun 2003 at 16:25, Steve Schear wrote:
> http://www.acros.si/papers/session_fixation.pdf
>
> Wow.
>
> This flaw is massive, and the biggest villain is the server
> side code created for Apache.
You really lack some fundamental understanding.
https uses a secure private link to create a private http session. It
has NOTHING todo with authentication nor identity.
For example, when you first login to say yahoo [for email] you're on
https. Even before yahoo knows who you are. Think of a verbal
handshake in the "get smart" cone of silence..
The fact that people randomly give away *their* secrets doesn't mean
the system is flawed. It means the people are ignorant.
Tom
__________________________________
Do you Yahoo!?
Yahoo! Calendar - Free online calendar with sync to Outlook(TM).
http://calendar.yahoo.com
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list