Hosting Provided By

Re: Session Fixation

From: Gary Gwin <websec(at)cafesoft.com>
Date: Thu Mar 27 2003 - 15:24:30 EST

Thanks for posting, this is an excellent article.

One cavaet is with respect to binding the session ID to the browser's network address. There are some proxy servers that swap IP addresses between HTTP requests. In this case, binding to the exact IP address can cause a valid session to be orphaned.

Gary

St. Clair, James wrote:
> FYI - for those who have not seen it..

-- 

Gary Gwin
http://www.cafesoft.com

*****************************************************************
*                                                               *
*   The Cafesoft Access Management System, Cams, is security    *
*   software that provides single sign-on authentication and    *
*   centralized access control for Apache, Tomcat, and custom   *
*   resources.                                                  *
*                                                               *
*****************************************************************

Received on Thu Mar 27 15:57:46 2003

This message: [ Message body ]
Next message: Mark Reardon: "Re: Cryptography and Site Security: Please critique my security idea"
Previous message: Gary Gwin: "Re: Fail Open Authentication and Parameter Injection"
In reply to St. Clair, James: "Session Fixation"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:07:49 EDT