Penetration Testing mailing list archives

Re: [PEN-TEST] HTTP Secure Session State Management

From: Robert van der Meulen <rvdm () CISTRON NL>
Date: Wed, 27 Dec 2000 19:33:46 +0100

Quoting Olle Segerdahl (olle () ENVY2 NXS SE):

These values you propose to "compute" the cookie from should be stored in
the session entry of the server and not the token value itself...

Can someone explain to me the benefits of Hugo's aproach vs. a pseudo-random
value as a token?

A computed cookie is none beneficial to a non-computed cookie, but if it
consists of a hashed value, derived from the token values you want to
verify, and something random, the cookie itself is essentially almost
random, and it's easier to check if it's valid or not.
You don't want to do a database lookup and/or some file reads to know if a
cookie is faked/timed out, especially on a busy site.
Mind: i am _not_ saying that including non-random values in the calculation
of a cookie doesn't make it less random/guessable; it doesn't.
The payoff is between slower cookie-management with more security, or fast
cookie-management and less security. In this case the speed outweighs the
security for most applications, afaiac.

Greets,
        Robert
--
             Insanity is hereditary. You get it from your kids.

Current thread:

[PEN-TEST] HTTP Secure Session State Management Mark Curphey (Dec 23)
- Re: [PEN-TEST] HTTP Secure Session State Management van der Kooij, Hugo (Dec 23)
  - Re: [PEN-TEST] HTTP Secure Session State Management Mark Curphey (Dec 26)
    - Re: [PEN-TEST] HTTP Secure Session State Management van der Kooij, Hugo (Dec 26)
    - Re: [PEN-TEST] HTTP Secure Session State Management Mark Curphey (Dec 27)
    - Re: [PEN-TEST] HTTP Secure Session State Management Anonymous (Dec 27)
    - Re: [PEN-TEST] HTTP Secure Session State Management Olle Segerdahl (Dec 27)
    - Re: [PEN-TEST] HTTP Secure Session State Management Robert van der Meulen (Dec 27)
    - Re: [PEN-TEST] HTTP Secure Session State Management Bennett Todd (Dec 27)
  - Re: [PEN-TEST] HTTP Secure Session State Management Philip Stoev (Dec 26)
    - Re: [PEN-TEST] HTTP Secure Session State Management Thomas Reinke (Dec 26)
    - Re: [PEN-TEST] HTTP Secure Session State Management Philip Stoev (Dec 27)
    - Re: [PEN-TEST] HTTP Secure Session State Management van der Kooij, Hugo (Dec 27)
- Re: [PEN-TEST] HTTP Secure Session State Management Drew Simonis (Dec 23)
  - Re: [PEN-TEST] HTTP Secure Session State Management Robert van der Meulen (Dec 23)
    - Re: [PEN-TEST] HTTP Secure Session State Management Mark Curphey (Dec 26)
    - Re: [PEN-TEST] HTTP Secure Session State Management Drew Simonis (Dec 26)
    - Re: [PEN-TEST] HTTP Secure Session State Management George Capehart (Dec 27)

(Thread continues...)