Hosting Provided By

Re: Hijacking URL Encoded Session IDs using Referer Logs

From: Bob Lee <crazybob(at)crazybob.org>
Date: Mon Nov 25 2002 - 17:46:31 EST

Or..... rather than linking directly to another site, allowing the browser to pass the user's session ID in the referer header, you could use an intermediate redirector for which a session ID is not needed.

Bob

Jeff Dafoe wrote:

>>One, I could have missed it, but I don't see anything in the owasp
>>security guide advising application developers to disable URL encoded
>>session IDs.

>
>
> If you are seeing session IDs in your referer logs then presumably the

>>Two, you can't tie the origin of the the request (the IP address) to the
>>session for reasons that have been discussed here time and time again.

>
>
> You can make a best-effort attempt based on reverse resolution and

>>Three, expiring sessions in a "timely" manner accomplishes nothing. 0
>>seconds is the only safe timeout. A cracker could write a program that
>>monitors the HTTP referrer headers and e-mails her (hell, pages her) as
>>soon as it sees something that looks like a session ID.

>
>
> The "safe" timeout value, like the previous item, really depends on the
Received on Mon Nov 25 23:32:55 2002

This message: [ Message body ]
Next message: Craig Skelton: "Re: HTTP authentication and session timeout"
Previous message: Jason Coombs: "RE: HTTP authentication and session timeout"
In reply to Jeff Dafoe: "Re: Hijacking URL Encoded Session IDs using Referer Logs"
Next in thread: zeno: "Re: Hijacking URL Encoded Session IDs using Referer Logs"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:07:44 EDT