Pantek Library

Hosting Provided By

CybrHost

High Speed Hosting

Re: Hijacking URL Encoded Session IDs using Referer Logs

From: Jeff Dafoe <jeff(at)badtz-maru.com>
Date: Mon Nov 25 2002 - 10:01:44 EST

> Many (most?) application servers use URL encoded session IDs when the

If the sessions in a particular app are that easy to hijack then the security issue is with that and not necessarily with the method used to transmit the session id. That is why the origin of a request must be validated when a request is issued against a particular session and it is also why sessions must be expired in a timely fashion. I think we are treading old territory here, stuff that was previously covered in past "poor session handling" advisories and such.

Jeff Received on Mon Nov 25 10:22:20 2002

This message: [ Message body ]
Next message: Bob Lee: "Re: Hijacking URL Encoded Session IDs using Referer Logs"
Previous message: Dawes, Rogan (ZA - Johannesburg): "RE: HTTP authentication and session timeout"
In reply to Bob Lee: "Re: Hijacking URL Encoded Session IDs using Referer Logs"
Next in thread: Bob Lee: "Re: Hijacking URL Encoded Session IDs using Referer Logs"
Reply: Bob Lee: "Re: Hijacking URL Encoded Session IDs using Referer Logs"
Reply: UDP 53: "Re: Hijacking URL Encoded Session IDs using Referer Logs"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:07:44 EDT

Contact Us Legal Notices Order Services Online
Pantek Home Privacy Policy IT news Site Map Pantek Library