Hosting Provided By

Re: post to bugtraq about "session fixation"

From: <securityarchitect(at)hush.com>
Date: Wed Dec 18 2002 - 14:28:34 EST

With respect I think its a great marketing paper but nothing more. You should never allow the same token to be used over HTTP that is then valid over SSL. At least one variant of this attack relies on that assumption.

Correct way if for the user to enter username and password over SSL and session cookie is set to that browser session over SSL. A pre-fixed cookie would get you to the public site (which maybe customized for a user experience but not show logged in details) but shouldn't get you to anywhere other than a login screen.

This paper also assumes that application session management is closely tied to web server session management. IMHO its not and this is a good reason why not. People think it is cause IIS and others still sends ASPSession IDs by default but just because the cookie protcol says they get returned if the domain path matches, doesn't mean to say they get processed by an app.

This is nothing new (although a good write-up).

On Wed, 18 Dec 2002 12:13:26 -0800 Alex Russell <alex@netWindows.org> wrote:
>I don't know if anyone else has seen this yet:

Concerned about your privacy? Follow this link to get FREE encrypted email: https://www.hushmail.com/?l=2

Big $$$ to be made with the HushMail Affiliate Program: https://www.hushmail.com/about.php?subloc=affiliate&l=427 Received on Wed Dec 18 15:06:01 2002

Do you need help?

This message: [ Message body ]
Next message: Panayiotis A. Thermos: "Re: post to bugtraq about "session fixation""
In reply to Alex Russell: "post to bugtraq about "session fixation""
Next in thread: Kevin Spett: "Re: post to bugtraq about "session fixation""
Reply: Kevin Spett: "Re: post to bugtraq about "session fixation""

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:07:46 EDT