Re: ASP Session ID Reuse

[Josh Drummond <jdrummon () UCI EDU>]

> On Wed, Feb 11, 2009 at 2:14 PM, Neil Matatall <nmatatal () uci edu> wrote:
>
> [...]
>
> > Also, isn't sharing session IDs across multiple applications a bad idea?
>
> Yes -- until you want to deploy single-signon.
>
> > What if one app is rock solid, while the
> > other is full of XSS or other session compromising vulnerabilities?  If
> > they
> > are on the same domain, can't you steal the session ID from one
> > application
> > and use it in the other application?
>
> This is a big deal for applications that use cookies generated via SSO
> and central authentication/authorization services.  Place SSO apps in
> their own subdomain (e.g., *.sso.foo.edu instead of *.foo.edu), limit
> the domain scope of SSO cookies to that subdomain, and don't let any
> untrusted or insecure apps in. :)
>
> --Brian

That's not always the case, see CAS for example.