Educause Security Discussion mailing list archives

Re: ASP Session ID Reuse

From: Brian Reilly <reillyb () GEORGETOWN EDU>
Date: Wed, 11 Feb 2009 23:33:34 -0500

On Wed, Feb 11, 2009 at 2:14 PM, Neil Matatall <nmatatal () uci edu> wrote:

[...]

Also, isn't sharing session IDs across multiple applications a bad idea?


Yes -- until you want to deploy single-signon.

What if one app is rock solid, while the
other is full of XSS or other session compromising vulnerabilities?  If they
are on the same domain, can't you steal the session ID from one application
and use it in the other application?


This is a big deal for applications that use cookies generated via SSO
and central authentication/authorization services.  Place SSO apps in
their own subdomain (e.g., *.sso.foo.edu instead of *.foo.edu), limit
the domain scope of SSO cookies to that subdomain, and don't let any
untrusted or insecure apps in. :)

--Brian

Current thread:

ASP Session ID Reuse Neil Matatall (Feb 10)
- <Possible follow-ups>
- Re: ASP Session ID Reuse Brian Reilly (Feb 10)
- Re: ASP Session ID Reuse Ozzie Paez (Feb 10)
- Re: ASP Session ID Reuse Neil Matatall (Feb 11)
- Re: ASP Session ID Reuse Brian Reilly (Feb 11)
- Re: ASP Session ID Reuse Ozzie Paez (Feb 11)
- Re: ASP Session ID Reuse Josh Drummond (Feb 11)