WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

How to create (hijacking) secure HTTP sessions?

From: Michael Decker <MDecker () tesis de>
Date: Thu, 01 Jun 2006 09:13:50 +0200
        Hi!

I tried to figure out, how to create HTTP session, that are not so easy
to hijack.

So I think about that mechanisms:

* Using HTTPs
* Randomize HTTP session IDs
* Only create HTTP session ID after login
* HTTP session ID joined with IP and SSL session ID
* Block all session ID usings, that do'nt match IP and SSL session ID
* Set HTTP session timeout
* Expire HTTP session after logout

Is that all? Is there any mechanism, that isn't a good idea?

Bye,
        Michael

-- 
Michael Decker                      Michael.Decker () tesis de
TESIS SYSware GmbH                      http://www.tesis.de
Baierbrunnerstr. 15 * 81379 Muenchen * Tel. +49 89 747377-0


-------------------------------------------------------------------------
Sponsored by: Watchfire

Watchfire named worldwide market share leader in web application
security assessment by leading market research firm. Watchfire's AppScan
is the industry's first and leading web application security testing
suite, and the only solution to provide comprehensive and consolidated
remediation task lists at every level of the application. See for
yourself.
Download a Free Trial of AppScan 6.0 today!

https://www.watchfire.com/securearea/appscansix.aspx?id=701300000007t9c
--------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: