Re: Custom session tokens and XSS

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi...

> The reason to log a session out when a bad token is received is so that if
Yep, of course that logging-off-the-other-one works vice versa. :o)
The problem here is, that users tend to log themselves off very often if they hit the browsers "reload" button. In this case an old (thus invalid) token is submitted. I had lots of users of a real application complaining about that.

> It opens a denial of service capability but closes another hole.
This is the case too for other problems too, you have to balance reasons for the security measures you take.

But maybe you're right:
The nuisance of being logged off unintentionally may outweigh the risk of having some transaction tokens stolen.

Kind regards

Ingo

• -- ingo@ingostruck.de Use PGP: http://ingostruck.de/ingostruck.gpg with fingerprint C700 9951 E759 1594 0807 5BBF 8508 AF92 19AA 3D24 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.0 (GNU/Linux)

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

iD8DBQE/O6wvhQivkhmqPSQRApf+AKCK21BH1VBO6b8ltRnmxQg+7+sUHwCglRNQ Ia/bnmLBG6zSPMgU7wCKXxo=
=gVXq
-----END PGP SIGNATURE----- Received on Thu Aug 14 12:36:50 2003