Hosting Provided By

Re: post to bugtraq about "session fixation"

From: Alex Russell <alex(at)netWindows.org>
Date: Wed Dec 18 2002 - 17:49:52 EST

On Wednesday 18 December 2002 15:18, Kevin Spett wrote:
> If the session management implementations of web application servers

Perhaps, but there are a lot of other requisite mistakes needed for this to be an issue, such as:

the app must accept the SAME session IDs across both secured and unsecured interactions
the app must not change the session id on a per-page or per-action basis
the app must not issue another "action specific" nonce to be used in conjunction with the session ID to validate for sensitive actions

> Lots of people rely on the

I agree. For sites that have the multitue of problems necessaray to exploit this, it's a serious issue.

> Sure,

My favorite claim in that flash marketing trainwreck: "Active scout blocks all attacks, even the unknown ones". And we wonder why people find it hard to trust security vendors...sigh...

-- 
Alex Russell
alex@netWindows.org
alex@SecurePipe.com

Received on Wed Dec 18 16:48:49 2002

This message: [ Message body ]
Next message: Choong-Fook Fong: "Re: modify non-persistent cookies"
In reply to Kevin Spett: "Re: post to bugtraq about "session fixation""

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:07:46 EDT

Do you need help?