Penetration Testing mailing list archives
Re: [PEN-TEST] HTTP Secure Session State Management
From: "Edwards, David (JTD)" <Edwards.David2 () SAUGOV SA GOV AU>
Date: Thu, 28 Dec 2000 09:54:06 +1030
Hi folks,
-----Original Message----- From: Mark Curphey [mailto:mark () CURPHEY COM] Sent: Wednesday, 27 December 2000 12:56 PM To: PEN-TEST () SECURITYFOCUS COM Subject: Re: [PEN-TEST] HTTP Secure Session State Management The thread started as a discussion on state management once authentication had taken place; i.e. maintaining that authenticated state securely without asking a user to re-authenticate each time he requested a page.
This thread has been interesting in that it points out the difficulties of using an essentially stateless protocol for long lived authenticated "sessions". Everyone is attempting to add on some state information at the application layer for security. This is one thing that worries me about the growth of the WEBDAV/NDSDAV/.NET stuff in that it leverages the connectivity of port 80 for stuff that would normally need real security, such as remote file and print services.. To attempt to bring this back "on-topic" a bit :-) Has anyone looked at network penetration using WEBDAV/NDSDAV? Or even seen a security evaluation of WEBDAV/NDSDAV? ciao dave --- Dave Edwards Justice Technology Division Ph: +61 8 82265426 || 0408 808355 mailto: edwards.david2 () saugov sa gov au Snail : Justice Technology Division GPO Box 2048, Adelaide 5001 --- The information in this e-mail may be confidential and/or legally privileged. Use or disclosure by anyone other than the intended recipient is prohibited and may be unlawful. If you have received this e-mail in error, please advise me immediately ---
Current thread:
- Re: [PEN-TEST] HTTP Secure Session State Management, (continued)
- Re: [PEN-TEST] HTTP Secure Session State Management George Capehart (Dec 27)
- Re: [PEN-TEST] HTTP Secure Session State Management Mark Curphey (Dec 26)
- Re: [PEN-TEST] HTTP Secure Session State Management Drew Simonis (Dec 27)
- Re: [PEN-TEST] HTTP Secure Session State Management Bill Reamy (Dec 26)
- Re: [PEN-TEST] HTTP Secure Session State Management Mark Curphey (Dec 27)
- Re: [PEN-TEST] HTTP Secure Session State Management Robert van der Meulen (Dec 27)
- Re: [PEN-TEST] HTTP Secure Session State Management Yonatan Bokovza (Dec 27)
- Re: [PEN-TEST] HTTP Secure Session State Management Dom De Vitto (Dec 27)
- Re: [PEN-TEST] HTTP Secure Session State Management Ian Charnas (Dec 27)
- Re: [PEN-TEST] HTTP Secure Session State Management Dom De Vitto (Dec 27)
- Re: [PEN-TEST] HTTP Secure Session State Management St. Clair, James (Dec 27)
- Re: [PEN-TEST] HTTP Secure Session State Management Edwards, David (JTD) (Dec 27)
- Re: [PEN-TEST] HTTP Secure Session State Management Drew Simonis (Dec 28)
- Re: [PEN-TEST] HTTP Secure Session State Management van der Kooij, Hugo (Dec 28)
- Re: [PEN-TEST] HTTP Secure Session State Management Thomas Reinke (Dec 28)
- Re: [PEN-TEST] HTTP Secure Session State Management Matt W. (Dec 28)
- Re: [PEN-TEST] HTTP Secure Session State Management Drew Simonis (Dec 28)
- Re: [PEN-TEST] HTTP Secure Session State Management Drew Simonis (Dec 28)