Full Disclosure mailing list archives

Re: defense against session hijacking

From: Ron DuFresne <dufresne () winternet com>
Date: Wed, 19 Nov 2003 11:09:44 -0600 (CST)

On Mon, 17 Nov 2003, Gary E. Miller wrote:

Yo Thomas!

Some ISPs like AOL use ganged proxies/caches.  You may get the same session
from different proxies as they round robin.

Overly agressive web caches are a big problem for web apps.


not to mention that IP's can be spoofed.

Thanks,

Ron DuFresne
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
        ***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

defense against session hijacking Thomas M. Duffey (Nov 17)
- Re: defense against session hijacking Gary E. Miller (Nov 17)
  - Re: defense against session hijacking Ron DuFresne (Nov 19)
- Re: defense against session hijacking David Maynor (Nov 17)
  - Re: defense against session hijacking Damian Gerow (Nov 17)
    - Re: defense against session hijacking Frank Knobbe (Nov 17)
    - Re: defense against session hijacking Damian Gerow (Nov 17)
    - Re: defense against session hijacking David Maynor (Nov 17)
  - window hiding sir kaber (Nov 17)
  - Re: defense against session hijacking |reduced|minus|none| (Nov 17)
- Re: defense against session hijacking Scott Taylor (Nov 17)
- Re: defense against session hijacking Bill Pennington (Nov 17)
- Re: defense against session hijacking Jason Ziemba (Nov 18)

(Thread continues...)