Hosting Provided By

Re: Hijacking URL Encoded Session IDs using Referer Logs

From: zeno <bugtraq(at)cgisecurity.net>
Date: Mon Nov 25 2002 - 08:48:57 EST

Not to my knowledge. I guess the question would be why would you store the session id in a users url? I suppose people who are to lazy to learn about cookies and don't mind having the ID logged on the server side.

Not to mention its *possible* that this id can be saved by a webspider and archived. If using cookies to store these id's you won't have to worry about this problem. (unless there is a new super spider which logs cookies that I am unaware of in production use?)

zeno

>
> Is there anything on CERT about the fact that URL encoded session IDs
Received on Mon Nov 25 09:57:50 2002

This message: [ Message body ]
Next message: Bob Lee: "Re: Hijacking URL Encoded Session IDs using Referer Logs"
Previous message: UDP 53: "HTTP authentication and session timeout"
In reply to Bob Lee: "Hijacking URL Encoded Session IDs using Referer Logs"
Next in thread: Bob Lee: "Re: Hijacking URL Encoded Session IDs using Referer Logs"
Reply: Bob Lee: "Re: Hijacking URL Encoded Session IDs using Referer Logs"
Reply: ONEILL David J: "Re: Hijacking URL Encoded Session IDs using Referer Logs"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:07:44 EDT