WebApp Sec mailing list archives
RE: Session Fixation
From: Cyrill Osterwalder <cyrill.osterwalder () seclutions com>
Date: Wed, 02 Apr 2003 09:15:12 +0200
I am currently logging the super cookie to try and determine if it really is unique enough.
I always prefer and also recommend to have a session identifier of which the uniqueness is controlled and therefore guaranteed by the server, not any client software. The server software should not rely on the client side regarding this issue.
When using SSL connections, I'm often using the SSL session ID which is exactly such an example where the server guarantees uniqueness. However, the SSL session ID also has some problems like that old browser versions do not keep it long enough or that you lose sessions if your server side SSL session pool is not big enough. If one of these issues are relevant, I build long enough and very good random identifiers where I guarantee uniqueness in the session management code.
Cyrill --------------------------------------------------- Cyrill Osterwalder Chief Technology Officer http://www.seclutions.com PGPKey FP :5C84E132BBD50AB1627BF873D3B6CAF4C70E7ACB PGPKey URL:ldap://certserver.pgp.com
Current thread:
- Re: Session Fixation Ian (Apr 01)
- Re: Session Fixation Fred van Engen (Apr 01)
- <Possible follow-ups>
- RE: Session Fixation Douglas Schlenker (Apr 01)
- Re: Session Fixation Matt Fisher (Apr 01)
- Re: Session Fixation Alex Russell (Apr 01)
- RE: Session Fixation Cyrill Osterwalder (Apr 01)
- Re: Session Fixation Matt Fisher (Apr 01)