[13632] in cryptography@c2.net mail archive
Re: Session Fixation Vulnerability in Web Based Apps
daemon@ATHENA.MIT.EDU (James A. Donald)
Sat Jun 14 16:51:52 2003
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
From: "James A. Donald" <jamesd@echeque.com>
To: "cryptography@metzdowd.com" <cryptography@metzdowd.com>
Date: Sat, 14 Jun 2003 11:36:48 -0700
In-reply-to: <20030614082450.GE4951@bcd.geek.com.au>
--
Rich Salz:
> > The following environment variables are exported into SSI
> > files and CGI scripts:
> > SSL_SESSION_ID The hex-encoded SSL session id
On 14 Jun 2003 at 18:24, Daniel Carosone wrote:
> The problem is that this is not especially useful in
> practice, if your client is IE. Essentially, you can't rely
> on IE to keep ssl sessions open from one request to the next,
> and thus it's not practical to treat this as a significant
> authentication token.
As I said earlier, there is no strong enforceable relationship
between an https session and a login session.
"This fortress wall not merely meets specifications, but is
invincible"
"But in only covers the north side of the fortress, and there
is a gate in the middle that a child could kick down"
"The specification was for the north wall, and the gate is the
responsibility of the supplies and transport division"
--digsig
James A. Donald
6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
HbAVQDehUS8SgfQqOI28BdF348siCWO9xi9Ep226
4yrN59HvscIQo8lQ44oxphi77XJ3ssx4FJUG6y2yd
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
