[13646] in cryptography@c2.net mail archive
Re: Session Fixation Vulnerability in Web Based Apps
daemon@ATHENA.MIT.EDU (Matthew Byng-Maddick)
Mon Jun 16 10:26:36 2003
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Mon, 16 Jun 2003 14:27:48 +0100
From: Matthew Byng-Maddick <cryptography@lists.colondot.net>
To: cryptography@metzdowd.com
In-Reply-To: <8C9A566C643ED6119E8900A0C9DE297A32469D@saturn.aculab.com>
Mail-Copies-To: never
On Mon, Jun 16, 2003 at 10:47:04AM +0100, Jill.Ramonsky@Aculab.com wrote:
> session id). Authentication of subesequent pages is assumed only if the
> client's IP address matches the IP address stored in the session variable
> corresponding to the client's session.
> Is this secure? If not, why not?
It's not a question of whether it's secure or not, in any kind of environment
with distributed proxies, it just plain won't work.
A more useful fix is to not allow arbitrary sessionids to be created, and
generate the state on login, and destroy it on logout. There may be a
condition I've missed with this, but I'm not sure.
MBM
--
Matthew Byng-Maddick <mbm@colondot.net> http://colondot.net/
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
