Penetration Testing mailing list archives
Re: [PEN-TEST] HTTP Secure Session State Management
From: Robert van der Meulen <rvdm () CISTRON NL>
Date: Wed, 27 Dec 2000 19:33:46 +0100
Quoting Olle Segerdahl (olle () ENVY2 NXS SE):
These values you propose to "compute" the cookie from should be stored in the session entry of the server and not the token value itself... Can someone explain to me the benefits of Hugo's aproach vs. a pseudo-random value as a token?
A computed cookie is none beneficial to a non-computed cookie, but if it consists of a hashed value, derived from the token values you want to verify, and something random, the cookie itself is essentially almost random, and it's easier to check if it's valid or not. You don't want to do a database lookup and/or some file reads to know if a cookie is faked/timed out, especially on a busy site. Mind: i am _not_ saying that including non-random values in the calculation of a cookie doesn't make it less random/guessable; it doesn't. The payoff is between slower cookie-management with more security, or fast cookie-management and less security. In this case the speed outweighs the security for most applications, afaiac. Greets, Robert -- Insanity is hereditary. You get it from your kids.
Current thread:
- [PEN-TEST] HTTP Secure Session State Management Mark Curphey (Dec 23)
- Re: [PEN-TEST] HTTP Secure Session State Management van der Kooij, Hugo (Dec 23)
- Re: [PEN-TEST] HTTP Secure Session State Management Mark Curphey (Dec 26)
- Re: [PEN-TEST] HTTP Secure Session State Management van der Kooij, Hugo (Dec 26)
- Re: [PEN-TEST] HTTP Secure Session State Management Mark Curphey (Dec 27)
- Re: [PEN-TEST] HTTP Secure Session State Management Anonymous (Dec 27)
- Re: [PEN-TEST] HTTP Secure Session State Management Olle Segerdahl (Dec 27)
- Re: [PEN-TEST] HTTP Secure Session State Management Robert van der Meulen (Dec 27)
- Re: [PEN-TEST] HTTP Secure Session State Management Bennett Todd (Dec 27)
- Re: [PEN-TEST] HTTP Secure Session State Management Mark Curphey (Dec 26)
- Re: [PEN-TEST] HTTP Secure Session State Management van der Kooij, Hugo (Dec 23)
- Re: [PEN-TEST] HTTP Secure Session State Management Thomas Reinke (Dec 26)
- Re: [PEN-TEST] HTTP Secure Session State Management Philip Stoev (Dec 27)
- Re: [PEN-TEST] HTTP Secure Session State Management van der Kooij, Hugo (Dec 27)
- Re: [PEN-TEST] HTTP Secure Session State Management Robert van der Meulen (Dec 23)
- Re: [PEN-TEST] HTTP Secure Session State Management Mark Curphey (Dec 26)
- Re: [PEN-TEST] HTTP Secure Session State Management Drew Simonis (Dec 26)
- Re: [PEN-TEST] HTTP Secure Session State Management George Capehart (Dec 27)