WebApp Sec mailing list archives
Re: session id abuse
From: hans <hans () e35203 upc-e chello nl>
Date: Sat, 14 Feb 2004 01:17:22 +0100 (CET)
On Fri, 13 Feb 2004, Johnny GoLightly wrote:
User requires access to a web application for a long period of time with inactivity. Therefore assume that sessionID never expires.
Sessions can be expired. When, for example, you use php you could set the session handler to store the info in a database server. With the garbage collecter you would be able to delete this information. If you are not deleting it it would only be readable for the session owner. Hans -- begin http://<XSS_VULN_HOST>/<script>var i; for (i=1;i<1000000;i++) { document.write("\<iframe src=\"snews://aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" + i + "\"\>\<\/iframe>"); } document.refresh; </script>
Current thread:
- Session ID Abuse Johnny GoLightly (Feb 13)
- Re: Session ID Abuse Paul (Feb 15)
- Re: Session ID Abuse lists AT dawes DOT za DOT net (Feb 15)
- <Possible follow-ups>
- session id abuse Johnny GoLightly (Feb 13)
- Re: session id abuse npguy (Feb 15)
- Re: session id abuse hans (Feb 15)
- RE: Session ID Abuse Kris Wilkinson (Feb 15)
- Re: Session ID Abuse Steve Shah (Feb 15)