Session Fixation Vulnerability in Web Based Apps
Rich Salz
rsalz at datapower.com
Fri Jun 13 21:58:32 EDT 2003
> To make the system entirely secure against this attack, we need
> to be able to enforce a one to one mapping between login
> sessions and https sessions. The existing tools for writing
> server side code do not provide us with any direct means of
> enforcing such a relationship.
I'm not paying very close attention to your posts. Paragraphs like the
above are the reason why. From
http://www.modssl.org/docs/2.8/ssl_reference.html#ToC25
The following environment variables are exported into SSI files
and CGI scripts:
SSL_SESSION_ID The hex-encoded SSL session id
Care to try again?
/r$
--
Rich Salz Chief Security Architect
DataPower Technology http://www.datapower.com
XS40 XML Security Gateway http://www.datapower.com/products/xs40.html
XML Security Overview http://www.datapower.com/xmldev/xmlsecurity.html
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list