Penetration Testing mailing list archives
Re: [PEN-TEST] HTTP Secure Session State Management
From: Mark Curphey <mark () CURPHEY COM>
Date: Sun, 24 Dec 2000 09:09:30 -0800
IMHO - I am not sure how this solves the problem at all of secure session state. Sure you can set the cookie as a secure cookie (i.e. cant only be transmitted over https) , but if I am reading you right (and I may not be) the cookie is still set on the client machine and what ever you set can be replayed by any user of that machine. I can't see how SSL and token based authentication adds value here to session management. All this adds is a encrypted tunnel to set a cookie. -----Original Message----- From: Penetration Testers [mailto:PEN-TEST () SECURITYFOCUS COM]On Behalf Of van der Kooij, Hugo Sent: Saturday, December 23, 2000 4:05 PM To: PEN-TEST () SECURITYFOCUS COM Subject: Re: [PEN-TEST] HTTP Secure Session State Management On Fri, 22 Dec 2000, Mark Curphey wrote:
Apart from RFC 2965 (cookies) what other methods are available to
developers
to manage sessions securely; i.e. authenticate each session in a
transaction
? Is a decorated URL a better option ?
IMHO the best way would to use SSL connections to reduce sniffing. If you can support client certificates you can use them as well but don't rely on them purely. Once you have an encrypted tunnel use user authentication with hardware tokens like Shiva Access Manager or Ace's Secure Server. (Combine username + user password with pin and hardware token reponse for authentication.) Then you can use cookies to cache the use info for a limited time. (Don't push it over an hour and make sure you keep them rather secure.) Beside the client certificates this is how I did create a support server. Hugo. -- Hugo van der Kooij; Oranje Nassaustraat 16; 3155 VJ Maasland hvdkooij () caiw nl http://home.kabelfoon.nl/~hvdkooij/ -------------------------------------------------------------- This message has not been checked and may contain harmfull content.
Current thread:
- [PEN-TEST] HTTP Secure Session State Management Mark Curphey (Dec 23)
- Re: [PEN-TEST] HTTP Secure Session State Management van der Kooij, Hugo (Dec 23)
- Re: [PEN-TEST] HTTP Secure Session State Management Mark Curphey (Dec 26)
- Re: [PEN-TEST] HTTP Secure Session State Management van der Kooij, Hugo (Dec 26)
- Re: [PEN-TEST] HTTP Secure Session State Management Mark Curphey (Dec 27)
- Re: [PEN-TEST] HTTP Secure Session State Management Anonymous (Dec 27)
- Re: [PEN-TEST] HTTP Secure Session State Management Olle Segerdahl (Dec 27)
- Re: [PEN-TEST] HTTP Secure Session State Management Robert van der Meulen (Dec 27)
- Re: [PEN-TEST] HTTP Secure Session State Management Bennett Todd (Dec 27)
- Re: [PEN-TEST] HTTP Secure Session State Management Mark Curphey (Dec 26)
- Re: [PEN-TEST] HTTP Secure Session State Management van der Kooij, Hugo (Dec 23)
- Re: [PEN-TEST] HTTP Secure Session State Management Thomas Reinke (Dec 26)
- Re: [PEN-TEST] HTTP Secure Session State Management Philip Stoev (Dec 27)
- Re: [PEN-TEST] HTTP Secure Session State Management van der Kooij, Hugo (Dec 27)