Session Fixation Vulnerability in Web Based Apps
Ben Laurie
ben at algroup.co.uk
Sat Jun 14 11:35:12 EDT 2003
James A. Donald wrote:
> --
> On 12 Jun 2003 at 16:25, Steve Schear wrote:
> http://www.acros.si/papers/session_fixation.pdf
>
> Wow.
>
> This flaw is massive, and the biggest villain is the server
> side code created for Apache.
>
> When you login to your bank, your e-gold account, your
> stockbroker, or your domain registrar, someone else can share
> your login.
>
> It is a security design error in the development environments
> for active server pages (all of them) . Every such development
> environment will have to be changed, and every login script
> written for existing environments needs to have some kind of
> workaround cobbled into it.
>
> The ideal solution is to change the development environment so
> that your session identifier is linked to the shared symmetric
> key used in any https conversation during that session, which
> requires tight coupling of https and development environments
> for active server pages.
>
> In the long term, https must be amended to have a concept of
> login and session, and make that sessionID available to the
> server side coding environments.
This isn't the case. I analysed several sites I work on for attacks of
the type described when this paper first came out. None of them were
vulnerable.
I suggest you read and think more carefully.
I will agree that an incautious implementor could get bitten by these
attacks, though.
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html http://www.thebunker.net/
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list