WebApp Sec mailing list archives
Re: Cookie not expiring...
From: Rogan Dawes <discard () dawes za net>
Date: Wed, 17 Aug 2005 13:54:06 +0200
bryan allott wrote:
i dont think the session is actually available. maybe what is happening is that a new session with the same identifier is being resurrected? read the following from msdn.."Session identifiers for abandoned or expired sessions are recycled by default. That is, if a request is made that includes the session identifier for an expired or abandoned session, a new session is started using the same session identifier. You can disable this by setting regenerateExpiredSessionId attribute of the <sessionState> configuration element to true. For more information, see Session Identifiers."..NET Framework Supported in: 2.0, 1.1, 1.0 try that?
This sounds like the application would be vulnerable to session fixation attacks (http://www.acros.si/papers/session_fixation.pdf) if it allows arbitrary session id's to be (re-)created on the fly.
Rogan
Current thread:
- Cookie not expiring... spawn security (Aug 16)
- Re: Cookie not expiring... bryan allott (Aug 17)
- RE: Cookie not expiring... Dan Simon (Aug 17)
- Re: Cookie not expiring... Rogan Dawes (Aug 17)
- Re: Cookie not expiring... Thomas Chiverton (Aug 17)
- <Possible follow-ups>
- RE: Cookie not expiring... Steven Rebello (Aug 17)
- RE: Cookie not expiring... David Knapman (Aug 17)
- Re: Cookie not expiring... dharmeshmm (Aug 17)
- RE: Cookie not expiring... Dan Simon (Aug 17)
- Windows 2003 Server Hardening Joe Osborn (Aug 18)
- Re: Windows 2003 Server Hardening jcarr083 (Aug 19)
- RE: Windows 2003 Server Hardening Sarbjit Singh Gill (Aug 19)
- RE: Windows 2003 Server Hardening Aleksander P. Czarnowski (Aug 19)
- RE: Cookie not expiring... Dan Simon (Aug 17)
- Re: Cookie not expiring... bryan allott (Aug 17)