[13652] in cryptography@c2.net mail archive
Re: Session Fixation Vulnerability in Web Based Apps
daemon@ATHENA.MIT.EDU (James A. Donald)
Mon Jun 16 13:12:46 2003
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
From: "James A. Donald" <jamesd@echeque.com>
To: Ng Pheng Siong <ngps@netmemetic.com>
Date: Mon, 16 Jun 2003 09:51:39 -0700
Cc: cryptography@metzdowd.com
In-reply-to: <20030616021044.GC420@vista.netmemetic.com>
--
James A. Donald:
> > Which is fine provided your code, rather than the framework
> > code provided the cookie, and provided you generated the
> > cookie in response to a valid login, as Ben Laurie does..
> > The framework, however, generally provides insecure
> > cookies.
Ng Pheng Siong:
> Dynamic programming environments like Lisp, Smalltalk and
> Python allow the application programmer to replace parts of a
> framework with other code easily.
The word "environment", like "framework" is overloaded. I had
in mind such frameworks as PHP, struts, and ASP. mod_perl
makes you do your own damn cookie management as far as I know,
and so would not in itself cause the session fixation problem,
though programmer error might very easily cause it.
--digsig
James A. Donald
6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
M2QqNF3SbBJ8ZBL5r77vtVp17bYimpkgCZWrCRxA
4YMBoFimaPGsULDLow0LdwGBbNKGNfrlCjIFpMfYa
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
