Session Fixation Vulnerability in Web Based Apps
James A. Donald
jamesd at echeque.com
Sun Jun 15 14:34:55 EDT 2003
--
On 14 Jun 2003 at 19:07, Rich Salz wrote:
> When I've done login and state management, it's all
> maintained on the server side. It's completely independant
> of SSL sessions -- that's transport, has no place in
> application -- just like it's completely independant of
> HTTP/1.1 session management. A logout page isn't the same as
> "Connection: close" :)
>
> The only thing in the cookie is an opaque identifer. It's
> purely random bytes (for which OPenSSL's RANDbytes() is
> useful),
Which is fine provided your code, rather than the framework
code provided the cookie, and provided you generated the cookie
in response to a valid login, as Ben Laurie does.. The
framework, however, generally provides insecure cookies.
--digsig
James A. Donald
6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
hOTy2gXIGpC8U37+/qzVoX8ytaUtHZWZGueU4kX5
4GiXuHCpc1B85Pv2WN8p5d7FESFJMHlg5qC2hqlGr
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list