WebApp Sec mailing list archives
Re: IIS 5 cookie encryption password
From: Santiago Barahona <sant-bar () dsv su se>
Date: Tue, 10 Apr 2007 09:01:45 +0200
Regarding the relationship between the cookie and the session ID:The cookie the web server generates and associates to a session ID is used to prevent DoS... basically what it does is that the server gives the cookies in the second face of the connection establishment and then "forgets" about it whilst it attends other connection requests which lines up in its stack... if the space in the stack is full, the server starts throwing away the oldest connection requests from the stack... if a client who's connection attempt has been dropped returns with the last phase of the connection establishment, it will still be able to connect because of the cookie...
Please correct me if I'm wrong... cheers, santiago On 3 Apr 07, at 18:32, Serguey Forcade wrote: Thanks, but I based my assumptions on an article from Microsoft(http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/ iisbook/c06_asp_session_id_and_session_security.mspx?mfr=true)
Even tho your statement makes sense. It's just that I haven't been able to find more info about the relationship between the session ID and the cookie. On 4/3/07, Rogan Dawes <discard () dawes za net> wrote:
Serguey Forcade wrote: > Hi, I'd like to know if anyone knows of a paper that explains how to > extract the encryption password IIS creates when it starts up, and> uses to encrypt the session ID + random data in order to generate the> cookie value the users receives. > > I'm interested in IIS 5.0. > > Thanks. > Take this with a pinch of salt, but I don't think that the session identifier and the cookie value are directly related.One reason for this statement is that if you abandon the session (usingASP), and create a new one, the cookie value does not change. However, the result of "Session.SessionID" DOES change.I suspect that the cookie value is generated using a combination of somestatic/sequential info, and some random data, and then associated withthe next available (i.e sequential integer) SessionID. When the session is abandoned, the session object associated with that integer SessionIDis discarded. A subsequent request from the client containing the oldSession Cookie value will then automatically be associated with the nextavailable sequential integer SessionID. Hope this helps. Rogan P.S. One consequence of this inability to change the cookie value through abandoning the session is that ASP apps are AUTOMATICALLY vulnerable to Session Fixation <http://www.owasp.org/index.php/Session_Fixation>. An approach to protecting ASP apps against session fixation is shown here <http://www.owasp.org/index.php/Session_Fixation_Protection>
------------------------------------------------------------------------ -
Sponsored by: WatchfireIt's been reported that 75% of websites are vulnerable to attack. That's because hackers know to exploit weaknesses in web applications. Traditional approaches to securing these assets no longer apply. Download the "Addressing Challenges in Application Security" whitepaper today, and see for yourself.
https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008fHF------------------------------------------------------------------------ --
------------------------------------------------------------------------- Sponsored by: WatchfireToday's hackers exploit web applications to expose, embarrass and even steal. Firewalls and SSL may be commonplace but recent studies indicate 3 out of 4 websites remain vulnerable to attack. Watchfire's "Addressing Challenges in Application Security" whitepaper, explains what to do and provides a guideline to improving your own application security. Download this whitepaper today!
https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008fHF --------------------------------------------------------------------------
Current thread:
- IIS 5 cookie encryption password Serguey Forcade (Apr 02)
- Message not available
- Re: IIS 5 cookie encryption password Serguey Forcade (Apr 05)
- Re: IIS 5 cookie encryption password Santiago Barahona (Apr 12)
- Re: IIS 5 cookie encryption password Santiago Barahona (Apr 12)
- Re: IIS 5 cookie encryption password Serguey Forcade (Apr 05)
- Message not available