WebApp Sec mailing list archives
Re: Session Fixation
From: "Ian" <webappsec () fishnet co uk>
Date: Tue, 01 Apr 2003 09:50:32 +0100
On 1 Apr 2003 at 0:28, HarryM wrote:
Actually, I think suggesting to anyone that they invest in half-measures when their time can be better spent elsewhere is even more damaging. On the one hand, I can see your argument: it raises the bar ever so slightly, which is a good thing. But I don't think it's a good _enough_ thing. Consider that most people implementing these systems _aren't_ experts. They understand IP, they understand networking, but they don't really think about how to break things, so relying on IP seems "good enough". Giving the un-informed bad choices and telling them to get it right is a receipe for disaster if ever I've seen one.One should never rely on IP for *anything* :-) I agree, except to say that I wouldn't consider it "investing in half measures" - at least, not the way I've coded it - since (a) it's one small measure among many other precautions taken (tamper-proof cookies, detection of scripted attacks, input validation, account lockouts, and so on) and (b), at ~5 lines of code, it's not much of an investment! I very much agree that it should be made known to as many people as possible that IP, in the context of web services, is unreliable as a means of identification, as silly as that may sound to the uninitiated, and that it should never be depended on for anything - least of all security. HarryM
Hi, Has anyone put the Internet Explorer ^Super Cookie^ to use ? For the particular app I am working on, I can guarantee that all the user are connecting with IE over ssl. Plus they all (mainly) go through a router from the same LAN, thus appear to have the same IP. I am currently logging the super cookie to try and determine if it really is unique enough. Regards Ian --
Current thread:
- Re: Session Fixation Ian (Apr 01)
- Re: Session Fixation Fred van Engen (Apr 01)
- <Possible follow-ups>
- RE: Session Fixation Douglas Schlenker (Apr 01)
- Re: Session Fixation Matt Fisher (Apr 01)
- Re: Session Fixation Alex Russell (Apr 01)
- RE: Session Fixation Cyrill Osterwalder (Apr 01)
- Re: Session Fixation Matt Fisher (Apr 01)