Hosting Provided By

RE: Session Fixation

From: Mark Mcdonald <m.mcdonald(at)cgl.com.au>
Date: Thu Mar 27 2003 - 20:42:02 EST

This can be a problem with AOL users, Hannes Schmiderer mentioned in a posting earlier in the month that IP address changes across consecutive page hits can be a problem for AOL users (REF: http://webmaster.info.aol.com/proxyinfo.html ). Also the converse could occur where a large number of users behind say a corporate firewall (or university firewall) are all using the same IP address, it would make a session hijack relatively simple. This situation may be highly unlikely, but with security matters I feel that if (likelihood > 0) { solve(problem); } else { drink(beer); }

-----Original Message-----
From: Gary Gwin [mailto:websec@cafesoft.com] Sent: Friday, March 28, 2003 4:25 AM
To: webappsec@securityfocus.com
Subject: Re: Session Fixation

Thanks for posting, this is an excellent article.

One cavaet is with respect to binding the session ID to the browser's network address. There are some proxy servers that swap IP addresses between HTTP requests. In this case, binding to the exact IP address can cause a valid session to be orphaned.

Gary

St. Clair, James wrote:
> FYI - for those who have not seen it..

-- 

Gary Gwin
http://www.cafesoft.com

*****************************************************************
*                                                               *
*   The Cafesoft Access Management System, Cams, is security    *
*   software that provides single sign-on authentication and    *
*   centralized access control for Apache, Tomcat, and custom   *
*   resources.                                                  *
*                                                               *
*****************************************************************


******************************* DISCLAIMER ****************************** 
This e-mail and any attachments to it are confidential. 
If you receive them in error, please tell us immediately and delete them. 
You must not retain, distribute, disclose or otherwise use any information
contained in them. 

Before opening or using any attachments with this e-mail you should check
them for viruses and other defects. The sender does not warrant that they 
will be free from computer viruses or other defects.
*************************************************************************

Received on Thu Mar 27 22:37:27 2003

This message: [ Message body ]
Next message: Brass, Phil (ISS Atlanta): "RE: Cryptography and Site Security: Please critique my security idea"
Previous message: Jim McGarvey: "Re: Cryptography and Site Security: Please critique my security idea"
In reply to St. Clair, James: "Session Fixation"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:07:49 EDT