Session Fixation Vulnerability in Web Based Apps
James A. Donald
jamesd at echeque.com
Sat Jun 14 14:36:48 EDT 2003
--
Rich Salz:
> > The following environment variables are exported into SSI
> > files and CGI scripts:
> > SSL_SESSION_ID The hex-encoded SSL session id
On 14 Jun 2003 at 18:24, Daniel Carosone wrote:
> The problem is that this is not especially useful in
> practice, if your client is IE. Essentially, you can't rely
> on IE to keep ssl sessions open from one request to the next,
> and thus it's not practical to treat this as a significant
> authentication token.
As I said earlier, there is no strong enforceable relationship
between an https session and a login session.
"This fortress wall not merely meets specifications, but is
invincible"
"But in only covers the north side of the fortress, and there
is a gate in the middle that a child could kick down"
"The specification was for the north wall, and the gate is the
responsibility of the supplies and transport division"
--digsig
James A. Donald
6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
HbAVQDehUS8SgfQqOI28BdF348siCWO9xi9Ep226
4yrN59HvscIQo8lQ44oxphi77XJ3ssx4FJUG6y2yd
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list