Penetration Testing mailing list archives
Re: [PEN-TEST] HTTP Secure Session State Management
From: "van der Kooij, Hugo" <Hugo.van.der.Kooij () CAIW NL>
Date: Wed, 27 Dec 2000 14:11:34 +0100
On Tue, 26 Dec 2000, Thomas Reinke wrote:
Philip Stoev wrote:Something like an MD5 hash is pretty good for this. Perhaps a hash of the user's first and last name, address and the record ID.The IP address must always be a part of the session ID, and must be checkedNo...that won't work. There are numerous users (few compared to the whole, but enough that it needs to be covered) that sit behind round robining proxy/NAT devices. This means the same user that in one second comes in as one IP address will come on the request as a second IP address. You could of course restrict the IP check to the same class C (until you find someone that has the proxy across multiple class C's...)
If this would happen I would considere that proxy to be broken. The client IP address is a definite requirement to verify. Hugo. -- Hugo van der Kooij; Oranje Nassaustraat 16; 3155 VJ Maasland hvdkooij () caiw nl http://home.kabelfoon.nl/~hvdkooij/ -------------------------------------------------------------- This message has not been checked and may contain harmfull content.
Current thread:
- Re: [PEN-TEST] HTTP Secure Session State Management, (continued)
- Re: [PEN-TEST] HTTP Secure Session State Management Mark Curphey (Dec 26)
- Re: [PEN-TEST] HTTP Secure Session State Management van der Kooij, Hugo (Dec 26)
- Re: [PEN-TEST] HTTP Secure Session State Management Mark Curphey (Dec 27)
- Re: [PEN-TEST] HTTP Secure Session State Management Anonymous (Dec 27)
- Re: [PEN-TEST] HTTP Secure Session State Management Olle Segerdahl (Dec 27)
- Re: [PEN-TEST] HTTP Secure Session State Management Robert van der Meulen (Dec 27)
- Re: [PEN-TEST] HTTP Secure Session State Management Bennett Todd (Dec 27)
- Re: [PEN-TEST] HTTP Secure Session State Management Mark Curphey (Dec 26)
- Re: [PEN-TEST] HTTP Secure Session State Management Thomas Reinke (Dec 26)
- Re: [PEN-TEST] HTTP Secure Session State Management Philip Stoev (Dec 27)
- Re: [PEN-TEST] HTTP Secure Session State Management van der Kooij, Hugo (Dec 27)
- Re: [PEN-TEST] HTTP Secure Session State Management Robert van der Meulen (Dec 23)
- Re: [PEN-TEST] HTTP Secure Session State Management Mark Curphey (Dec 26)
- Re: [PEN-TEST] HTTP Secure Session State Management Drew Simonis (Dec 26)
- Re: [PEN-TEST] HTTP Secure Session State Management George Capehart (Dec 27)
- Re: [PEN-TEST] HTTP Secure Session State Management Drew Simonis (Dec 27)
- Re: [PEN-TEST] HTTP Secure Session State Management Mark Curphey (Dec 27)
- Re: [PEN-TEST] HTTP Secure Session State Management Robert van der Meulen (Dec 27)