WebApp Sec mailing list archives
Re: Maia Mailgaurd http://www.renaissoft.com/maia/
From: Chuck <chuck.lists () gmail com>
Date: Mon, 18 Jul 2005 11:57:30 -0400
Responses below.... On 7/18/05, Achim Hoffmann <kirke11 () securenet de> wrote:
!! In short, you are better off putting the session id in a cookie than !! putting it in the URL.
In short, it is much simpler to steal session ids from cookies than from URL, exceptions see below.
No, they are both easy. If there is a XSS on the site, then you can get the URL with window.location.href.
Cookies are unsecure, unfortunately.
I disagree. Cookies are often insecurely used, but they can be a part of a "secure" application and I think that they are sufficient for the type of application the original poster was describing. They are not perfect, but they are better than the alternatives that are available in browsers today.
And more worse, most application don't take care for example by using FQDN and proper path= attribute and secure flag.
I agree with this, applications often do not use Cookies properly, which is part of the problem. I also agree with you that the application should not invalidate session IDs after some amount of time to minimize the possibility of session hijacking. Chuck
Current thread:
- Maia Mailgaurd http://www.renaissoft.com/maia/ Christopher Canova (Jul 16)
- Re: Maia Mailgaurd http://www.renaissoft.com/maia/ Chuck (Jul 18)
- Re: Maia Mailgaurd http://www.renaissoft.com/maia/ Achim Hoffmann (Jul 18)
- RE: Maia Mailgaurd http://www.renaissoft.com/maia/ Guillaume Vissian (Jul 18)
- PHP Session ID's focus (Jul 19)
- Re: Maia Mailgaurd http://www.renaissoft.com/maia/ Chuck (Jul 18)
- Re: Maia Mailgaurd http://www.renaissoft.com/maia/ Chuck (Jul 18)
- Re: Maia Mailgaurd http://www.renaissoft.com/maia/ Achim Hoffmann (Jul 20)
- Re: Maia Mailgaurd http://www.renaissoft.com/maia/ Chuck (Jul 20)
- Re: Maia Mailgaurd http://www.renaissoft.com/maia/ Achim Hoffmann (Jul 21)
- Re: Maia Mailgaurd http://www.renaissoft.com/maia/ Achim Hoffmann (Jul 18)
- Re: Maia Mailgaurd http://www.renaissoft.com/maia/ Chuck (Jul 18)
- Re: Maia Mailgaurd http://www.renaissoft.com/maia/ Andy bentley (Jul 18)