Full Disclosure mailing list archives

Re: GitHub Login Cookie Failure

From: Chris Roussel <lab12 () lavabit com>
Date: Mon, 08 Apr 2013 18:50:45 -0500

On 04/08/2013 04:43 PM, Jeffrey Walton wrote:

You might also check to see if the session identifier changes between
sessions. If not, GitHub may be using static session IDs, which means
they could be guessable.


Well, at least the first 103 (there are 303) characters are static. But
I think that it will take you at least twice the age of the universe to
guess that ID.

Regards,




_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

GitHub Login Cookie Failure Chris Roussel (Apr 08)
- Re: GitHub Login Cookie Failure Gregory Boddin (Apr 08)
- Re: GitHub Login Cookie Failure Jeffrey Walton (Apr 08)
  - Re: GitHub Login Cookie Failure Chris Roussel (Apr 09)
- Re: GitHub Login Cookie Failure Jann Horn (Apr 08)
  - Re: GitHub Login Cookie Failure Jann Horn (Apr 08)