Session Fixation Vulnerability in Web Based Apps
Matthew Byng-Maddick
cryptography at lists.colondot.net
Mon Jun 16 09:27:48 EDT 2003
On Mon, Jun 16, 2003 at 10:47:04AM +0100, Jill.Ramonsky at Aculab.com wrote:
> session id). Authentication of subesequent pages is assumed only if the
> client's IP address matches the IP address stored in the session variable
> corresponding to the client's session.
> Is this secure? If not, why not?
It's not a question of whether it's secure or not, in any kind of environment
with distributed proxies, it just plain won't work.
A more useful fix is to not allow arbitrary sessionids to be created, and
generate the state on login, and destroy it on logout. There may be a
condition I've missed with this, but I'm not sure.
MBM
--
Matthew Byng-Maddick <mbm at colondot.net> http://colondot.net/
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list