Session Fixation Vulnerability in Web Based Apps

[Ben Laurie]

James A. Donald wrote:

>     --
> On 12 Jun 2003 at 16:25, Steve Schear wrote: 
> http://www.acros.si/papers/session_fixation.pdf
> 
> Wow.
> 
> This flaw is massive, and the biggest villain is the server
> side code created for Apache.
> 
> When you login to your bank, your e-gold account, your 
> stockbroker, or your domain registrar, someone else can share 
> your login.
> 
> It is a security design error in the development environments 
> for active server pages (all of them) .  Every such development 
> environment will have to be changed, and every login script 
> written for existing environments needs to have some kind of 
> workaround cobbled into it.
> 
> The ideal solution is to change the development environment so 
> that your session identifier is linked to the shared symmetric 
> key used in any https conversation during that session, which 
> requires tight coupling of https and development environments 
> for active server pages.
> 
> In the long term, https must be amended to have a concept of 
> login and session, and make that sessionID available to the 
> server side coding environments. 

This isn't the case. I analysed several sites I work on for attacks of
the type described when this paper first came out. None of them were
vulnerable.

I suggest you read and think more carefully.

I will agree that an incautious implementor could get bitten by these
attacks, though.

Cheers,

Ben.

-- 
http://www.apache-ssl.org/ben.html       http://www.thebunker.net/

"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff


---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com