Session Fixation Vulnerability in Web Based Apps
James A. Donald
jamesd at echeque.com
Mon Jun 16 12:51:39 EDT 2003
--
James A. Donald:
> > Which is fine provided your code, rather than the framework
> > code provided the cookie, and provided you generated the
> > cookie in response to a valid login, as Ben Laurie does..
> > The framework, however, generally provides insecure
> > cookies.
Ng Pheng Siong:
> Dynamic programming environments like Lisp, Smalltalk and
> Python allow the application programmer to replace parts of a
> framework with other code easily.
The word "environment", like "framework" is overloaded. I had
in mind such frameworks as PHP, struts, and ASP. mod_perl
makes you do your own damn cookie management as far as I know,
and so would not in itself cause the session fixation problem,
though programmer error might very easily cause it.
--digsig
James A. Donald
6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
M2QqNF3SbBJ8ZBL5r77vtVp17bYimpkgCZWrCRxA
4YMBoFimaPGsULDLow0LdwGBbNKGNfrlCjIFpMfYa
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list