Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: securityfocus.com > webappsec > 02 > 110061.html (Request Expert securityfocus.com Support)

Re: Hijacking URL Encoded Session IDs using Referer Logs

From: Jeff Dafoe <jeff(at)badtz-maru.com>
Date: Mon Nov 25 2002 - 13:17:21 EST

> One, I could have missed it, but I don't see anything in the owasp

    If you are seeing session IDs in your referer logs then presumably the users who established those sessions did not get a cookie-based session for some reason. How will those users be serviced if the "fallback" method by which their session was maintained is disabled?

> Two, you can't tie the origin of the the request (the IP address) to the

    You can make a best-effort attempt based on reverse resolution and originating domain. Feeble, agreed.

> Three, expiring sessions in a "timely" manner accomplishes nothing. 0

    The "safe" timeout value, like the previous item, really depends on the type of application you are refering to and the level of security required by that application. You really cannot say that generically, session IDs present in the URL represent a security problem, because this assumes that a system using session IDs in the URL to maintain state has any information worth securing. I would hate to see web app frameworks suddenly, uncategorically, remove support for url-based sessions, particularly when the removal of such will clearly affect the ability of some users to access web applications utilizing those frameworks.

Jeff Received on Mon Nov 25 17:16:03 2002

Do you need help?X

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:07:44 EDT

Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library