Educause Security Discussion mailing list archives
Re: ASP Session ID Reuse
From: Brian Reilly <reillyb () GEORGETOWN EDU>
Date: Wed, 11 Feb 2009 23:33:34 -0500
On Wed, Feb 11, 2009 at 2:14 PM, Neil Matatall <nmatatal () uci edu> wrote: [...]
Also, isn't sharing session IDs across multiple applications a bad idea?
Yes -- until you want to deploy single-signon.
What if one app is rock solid, while the other is full of XSS or other session compromising vulnerabilities? If they are on the same domain, can't you steal the session ID from one application and use it in the other application?
This is a big deal for applications that use cookies generated via SSO and central authentication/authorization services. Place SSO apps in their own subdomain (e.g., *.sso.foo.edu instead of *.foo.edu), limit the domain scope of SSO cookies to that subdomain, and don't let any untrusted or insecure apps in. :) --Brian
Current thread:
- ASP Session ID Reuse Neil Matatall (Feb 10)
- <Possible follow-ups>
- Re: ASP Session ID Reuse Brian Reilly (Feb 10)
- Re: ASP Session ID Reuse Ozzie Paez (Feb 10)
- Re: ASP Session ID Reuse Neil Matatall (Feb 11)
- Re: ASP Session ID Reuse Brian Reilly (Feb 11)
- Re: ASP Session ID Reuse Ozzie Paez (Feb 11)
- Re: ASP Session ID Reuse Josh Drummond (Feb 11)