[13629] in cryptography@c2.net mail archive
Re: Session Fixation Vulnerability in Web Based Apps
daemon@ATHENA.MIT.EDU (Daniel Carosone)
Sat Jun 14 10:56:17 2003
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Sat, 14 Jun 2003 18:24:50 +1000
From: Daniel Carosone <dan@geek.com.au>
To: Rich Salz <rsalz@datapower.com>
Cc: "James A. Donald" <jamesd@echeque.com>,
"cryptography@metzdowd.com" <cryptography@metzdowd.com>
In-Reply-To: <Pine.LNX.4.44L0.0306132154290.4951-100000@smtp.datapower.com>
On Fri, Jun 13, 2003 at 09:58:32PM -0400, Rich Salz wrote:
> The following environment variables are exported into SSI files
> and CGI scripts:
> SSL_SESSION_ID The hex-encoded SSL session id
The problem is that this is not especially useful in practice, if
your client is IE. Essentially, you can't rely on IE to keep ssl
sessions open from one request to the next, and thus it's not
practical to treat this as a significant authentication token.
--
Dan.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
