[13627] in cryptography@c2.net mail archive
Re: Session Fixation Vulnerability in Web Based Apps
daemon@ATHENA.MIT.EDU (Rich Salz)
Sat Jun 14 01:01:11 2003
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Fri, 13 Jun 2003 21:58:32 -0400 (EDT)
From: Rich Salz <rsalz@datapower.com>
To: "James A. Donald" <jamesd@echeque.com>
Cc: "cryptography@metzdowd.com" <cryptography@metzdowd.com>
In-Reply-To: <3EE9EB24.23140.B8C6217@localhost>
> To make the system entirely secure against this attack, we need
> to be able to enforce a one to one mapping between login
> sessions and https sessions. The existing tools for writing
> server side code do not provide us with any direct means of
> enforcing such a relationship.
I'm not paying very close attention to your posts. Paragraphs like the
above are the reason why. From
http://www.modssl.org/docs/2.8/ssl_reference.html#ToC25
The following environment variables are exported into SSI files
and CGI scripts:
SSL_SESSION_ID The hex-encoded SSL session id
Care to try again?
/r$
--
Rich Salz Chief Security Architect
DataPower Technology http://www.datapower.com
XS40 XML Security Gateway http://www.datapower.com/products/xs40.html
XML Security Overview http://www.datapower.com/xmldev/xmlsecurity.html
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
