Session Fixation Vulnerability in Web Based Apps

Daniel Carosone dan at geek.com.au
Sat Jun 14 04:24:50 EDT 2003


On Fri, Jun 13, 2003 at 09:58:32PM -0400, Rich Salz wrote:
> The following environment variables are exported into SSI files
> and CGI scripts:
>     SSL_SESSION_ID The hex-encoded SSL session id

The problem is that this is not especially useful in practice, if
your client is IE. Essentially, you can't rely on IE to keep ssl
sessions open from one request to the next, and thus it's not
practical to treat this as a significant authentication token.

--
Dan.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list