What happened with the session fixation bug?
James A. Donald
jamesd at echeque.com
Mon May 23 12:37:26 EDT 2005
--
James A. Donald:
> > PKI was designed to defeat man in the middle attacks
> > based on network sniffing, or DNS hijacking, which
> > turned out to be less of a threat than expected.
> >
> > However, the session fixation bugs
> > http://www.acros.si/papers/session_fixation.pdf make
> > https and PKI worthless against such man in the
> > middle attacks. Have these bugs been addressed?
On 20 May 2005 at 23:21, Ben Laurie wrote:
> Do they exist? Certainly any session ID I've ever had
> a hand in has two properties that strongly resist
> session fixation:
>
> a) If a session ID arrives, it should already exist in
> the database.
>
> b) Session IDs include HMACs.
The way to beat session fixation is to issue a
privileged and impossible to predict session ID in
response to a correct login.
If, however, you grant privileges to a session ID on the
basis of a successful login, which is in fact the usual
practice, you are hosed. The normal programming model
creates a session ID, then sets variables and flags
associated with that session ID in response to forms
submitted by the user. To prevent session fixation, you
must create the session ID with unchangeable privileges
from the moment of creation. Perhaps you do this, but
very few web sites do.
--digsig
James A. Donald
6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
en30AWb8dk9T67RFzUse67CG7ZHHoOHC5OR/mndW
4T4xroZR7GeKinK0sMRNQ+4Pdj6ApUEu4FCGDghE5
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list