oss-sec mailing list archives
Re: A note on cookie based sessions
From: Florian Weimer <fw () deneb enyo de>
Date: Fri, 04 Oct 2013 08:11:03 +0200
* Kurt Seifried:
That's a problem, but also an inherent limitation of how such session handling works. The advantages are a stateless backend, no need for state DB, if you have many backends, especially distributed, logins just work no matter which server you connect to.
The downside is that you rely on cryptography in an essential way, which is never a good idea.
the documentation can maybe be improved (especially mentioning HTTPS/HSTS to prevent sniffing of the cookie) but generally speaking this is covered, so no CVEs here.
What about applications built on top of those stacks which do not document this? Would they receive a CVE? (Probably no, but I'd like to point out that documentation of features with a security impact is not an absolute thing.)
Current thread:
- A note on cookie based sessions Kurt Seifried (Oct 03)
- Re: A note on cookie based sessions Alexander E. Patrakov (Oct 03)
- Re: A note on cookie based sessions Donald Stufft (Oct 03)
- Re: A note on cookie based sessions Kurt Seifried (Oct 03)
- Re: A note on cookie based sessions Andri Möll (Oct 04)
- Re: A note on cookie based sessions Kurt Seifried (Oct 03)
- Re: A note on cookie based sessions Florian Weimer (Oct 03)
- Re: A note on cookie based sessions cve-assign (Oct 04)
- <Possible follow-ups>
- Re: A note on cookie based sessions Igor Sverkos (Oct 04)