WebApp Sec mailing list archives
Re: Session Fixation
From: Alex Russell <alex () netWindows org>
Date: Tue, 1 Apr 2003 14:33:19 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tuesday 01 April 2003 12:33 pm, Matt Fisher wrote:
http://www.computerbytesman.com/privacy/supercookie.htm
wow. What a mess. Although I suppose the blame lies much more with the permissive nature of IE than with WMP per sae.
Has anyone put the Internet Explorer ^Super Cookie^ to use ? For the particular app I am working on, I can guarantee that all the user are connecting with IE over ssl. Plus they all (mainly) go through a router from the same LAN, thus appear to have the same IP. I am currently logging the super cookie to try and determine if it really is unique enough.
Given the above discription, you shold note that trusting said "super-cookie" is no better than an IP because it is something that _you didn't issue_. If you didn't issue it, you can't verify it. If you can't verify it, you can't trust it (PKI is the notable exemption to the issuing rule, as you can verify without issuing). If you can't trust it, you shouldn't use it as a basis for security measures. I'm sure it's plenty unique (in the common case), however good security design (and good accessability design) strongly suggest that you design your app so that it continues to function correctly in the _uncommon_ case. Not just when the browser is being complicit in the degradation of its users privacy. Also, why should you count on the machine having WMP installed in the first place? And why should you rely on JavaScript? - -- Alex Russell alex () netWindows org alex () SecurePipe com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE+ifePoV0dQ6uSmkYRAu5OAKCL1yB9CLOvOeGj1tv0BW2Jdfc/zwCgwyyJ r/BZbi/9ftWYC0Aom8cZWlI= =QtF9 -----END PGP SIGNATURE-----
Current thread:
- Re: Session Fixation Ian (Apr 01)
- Re: Session Fixation Fred van Engen (Apr 01)
- <Possible follow-ups>
- RE: Session Fixation Douglas Schlenker (Apr 01)
- Re: Session Fixation Matt Fisher (Apr 01)
- Re: Session Fixation Alex Russell (Apr 01)
- RE: Session Fixation Cyrill Osterwalder (Apr 01)
- Re: Session Fixation Matt Fisher (Apr 01)