Sessions

Jill.Ramonsky at Aculab.com Jill.Ramonsky at Aculab.com
Mon Jun 16 10:36:54 EDT 2003


> From: Matthew Byng-Maddick [mailto:cryptography at lists.colondot.net]
> Sent: Monday, June 16, 2003 2:28 PM
> To: cryptography at metzdowd.com
> Subject: Re: Session Fixation Vulnerability in Web Based Apps
> 
> 
> On Mon, Jun 16, 2003 at 10:47:04AM +0100, Jill.Ramonsky at Aculab.com wrote:
> > session id). Authentication of subesequent pages is assumed only if the
> > client's IP address matches the IP address stored in the session
variable
> > corresponding to the client's session.
> > Is this secure? If not, why not?
> 
> It's not a question of whether it's secure or not, in any kind of
environment
> with distributed proxies, it just plain won't work.



I think I understand this, but I'm not sure if it matters. It seems to me
that a false negative (failed login) is not particularly serious, and that
the emphasis should be on preventing false positives (hackers). So ... if
you find that you can't log in from work (or anywhere you may have
distributed proxies), tough. Just try again when you get home, where there
are no distributed proxies in the way. If you believe that security is more
important than convenience, is this not reasonable?

The point is that, since IP spoofing is difficult (at least, considerably
MORE difficult than stealing a session key), you could be fairly sure you
were cutting out an awful lot of hacker attacks.

I freely admit that I don't understand all the issues here, but this does
seem pretty straightforward. What am I missing?

Jill


---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list