Hosting Provided By

RE: Session Fixation

From: Cyrill Osterwalder <cyrill.osterwalder(at)seclutions.com>
Date: Wed Apr 02 2003 - 02:15:12 EST

>I am currently logging the super cookie to try and determine if it
>really is unique enough.

I always prefer and also recommend to have a session identifier of which the uniqueness is controlled and therefore guaranteed by the server, not any client software. The server software should not rely on the client side regarding this issue.

When using SSL connections, I'm often using the SSL session ID which is exactly such an example where the server guarantees uniqueness. However, the SSL session ID also has some problems like that old browser versions do not keep it long enough or that you lose sessions if your server side SSL session pool is not big enough. If one of these issues are relevant, I build long enough and very good random identifiers where I guarantee uniqueness in the session management code.

Cyrill

Cyrill Osterwalder
Chief Technology Officer
http://www.seclutions.com

PGPKey FP :5C84E132BBD50AB1627BF873D3B6CAF4C70E7ACB PGPKey URL:ldap://certserver.pgp.com Received on Wed Apr 2 02:16:54 2003

This message: [ Message body ]
Next message: Michiel Kalkman: "Re: Security Best Practice Resources"
Previous message: Razvan Peteanu: "Re: Security Best Practice Resources"
In reply to: Douglas Schlenker: "RE: Session Fixation"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:07:50 EDT