Re: Hijacking URL Encoded Session IDs using Referer Logs

Hmmm,

I've long advocated not allowing session IDs in URLs *unless* they are supplemented with additional authentication or cookies.

Quite simply, if you encode the security equivalence of the browser in a URL you are open to:

(a) Replay attacks from the history file
(b) Sniffing attacks
(c) Logfile analysis attacks
(d) Replay of bookmarks/links

The clients I have worked with always rely upon additional information (in the form of cookies) when verifying the session ID. In addition, many of them implement systems that employ two separate session tracking systems - one for the general state management issue and the second for the business of checking 'that this was the same browser instance that authenticated itself earlier in the session and not somebody else'. All use of the second state management system is encrypted.......

I've developed a system called the '3 cookie' tracking system but it won't work without cookies being enabled. Quite frankly, if cookies aren't enabled, I can't provide a secure mechanism for my clients to handle verification of identity along with a state management system. It is worth mentioning that in several months use of such a system, there were a minimal number of 'no we don't do cookies' systems that arrived on the site. I value security more highly than the often touted position of ensuring that disabled cookie systems can have a fallback.

My fallback is to ensure it doesn't work but at least highlights this to the visitor.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Craig.

Notice: This email is confidential and may contain copyright material of the John Lewis Partnership. If you are not the intended recipient, please notify us immediately and delete all copies of this message. (Please note that it is your responsibility to scan this message for viruses).

John Lewis plc			Registered in England 233462
Registered office		171 Victoria Street London SW1E 5NN
      

Websites: http://www.johnlewis.com and http://www.waitrose.com Received on Mon Nov 25 17:11:30 2002