[13640] in cryptography@c2.net mail archive
Re: Session Fixation Vulnerability in Web Based Apps
daemon@ATHENA.MIT.EDU (James A. Donald)
Sun Jun 15 14:42:45 2003
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Sun, 15 Jun 2003 11:34:55 -0700
From: "James A. Donald" <jamesd@echeque.com>
In-reply-to: <Pine.LNX.4.44L0.0306141903560.4492-100000@smtp.datapower.com>
To: cryptography@metzdowd.com
--
On 14 Jun 2003 at 19:07, Rich Salz wrote:
> When I've done login and state management, it's all
> maintained on the server side. It's completely independant
> of SSL sessions -- that's transport, has no place in
> application -- just like it's completely independant of
> HTTP/1.1 session management. A logout page isn't the same as
> "Connection: close" :)
>
> The only thing in the cookie is an opaque identifer. It's
> purely random bytes (for which OPenSSL's RANDbytes() is
> useful),
Which is fine provided your code, rather than the framework
code provided the cookie, and provided you generated the cookie
in response to a valid login, as Ben Laurie does.. The
framework, however, generally provides insecure cookies.
--digsig
James A. Donald
6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
hOTy2gXIGpC8U37+/qzVoX8ytaUtHZWZGueU4kX5
4GiXuHCpc1B85Pv2WN8p5d7FESFJMHlg5qC2hqlGr
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
