WebApp Sec mailing list archives
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications"
From: Florian Weimer <fw () deneb enyo de>
Date: Wed, 22 Dec 2004 19:17:22 +0100
* Elihu Smails:
Sessions should track the remote IP address of the client at a minimum
Only if you don't like AOL users. Load-balanced proxies with different outgoing IP addresses are common.
so that this problem could go away.
It doesn't, users behind the same proxy can attack each other.
Many programs that I have written have custom session management that track not only client IP, but browser, any certificate info and username.
And you put all this data into request parameters? Wow. What a waste of bandwidth. 8-)
Current thread:
- Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications", (continued)
- Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Eran Tromer (Dec 20)
- Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Elihu Smails (Dec 20)
- Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Sverre H. Huseby (Dec 22)
- Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Elihu Smails (Dec 22)
- Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Sverre H. Huseby (Dec 22)
- Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Sverre H. Huseby (Dec 22)
- Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Joseph Miller (Dec 22)
- Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Florian Weimer (Dec 23)