WebApp Sec mailing list archives
RE: How can i protect against session hijacking?
From: "Martin O'Neal" <martin.oneal () corsaire com>
Date: Thu, 2 Apr 2009 17:47:45 +0100
There are WAFs available on the market that implement secure session handling...
LOL; thanks for the comment, but to paraphrase, you're basically suggesting adding another technology to the mix (one that the client will be unlikely to be familiar with, but will have to maintain both from a platform and skills perspective), and rather than fixing the application, you duplicate some functionality into the WAF, which (unless you fix the XSS [in the WAF or application]) won't actually help with the lost session ID anyway, as the attacker will be still running mobile code in the users browser session, with access to everything that the user has; source IP, cookies, blah-blah-blah. Doesn't sound like a particularly ideal solution to the scenario to me... Martin...
Current thread:
- RE: How can i protect against session hijacking? Chris Grove (Apr 01)
- <Possible follow-ups>
- RE: How can i protect against session hijacking? Martin O'Neal (Apr 01)
- Re: How can i protect against session hijacking? Justin Clarke (Apr 02)
- RE: How can i protect against session hijacking? Martin O'Neal (Apr 02)
- Re: How can i protect against session hijacking? Adam Todorski (Apr 02)
- RE: How can i protect against session hijacking? Martin O'Neal (Apr 02)
- RE: How can i protect against session hijacking? Debasis Mohanty (Apr 02)
- Message not available
- Re: How can i protect against session hijacking? David Scholefield (Apr 03)
- Message not available
- RE: How can i protect against session hijacking? Debasis Mohanty (Apr 02)
- RE: How can i protect against session hijacking? Debasis Mohanty (Apr 02)
- RE: How can i protect against session hijacking? Debasis Mohanty (Apr 02)
- Re: How can i protect against session hijacking? AF (Apr 03)
- Re: How can i protect against session hijacking? David Scholefield (Apr 03)
- RE: How can i protect against session hijacking? Debasis Mohanty (Apr 03)
- RE: How can i protect against session hijacking? Debasis Mohanty (Apr 03)
- Re: How can i protect against session hijacking? AF (Apr 03)
- Re: How can i protect against session hijacking? Rohit Sethi (Apr 02)