PaulDotCom mailing list archives
Re: Session management
From: k41zen Me <k41zen () me com>
Date: Fri, 05 Nov 2010 09:50:04 +0000
Thanks to you both for the information. I'm trying to replicate a problem which has been reported that from two separate machines, and therefore browsers, the second user after authenticated to the app was recognised as the first user that auth'd. Both machines are not behind an NAT'd device so that removed that possible explanation for this if the server was tracking sessions with IP's. This is why I then began looking at the JSESSIONID cookie. Because of how Firefox uses these I can re-create the same problem using the same browser but another tab, but can't re-create this in an IE browser as it generates a new JSESSIONID per tab. My gut is telling me this server app has issues and this is was I'm trying to exploit. In tests from two separate machines and around 30 sessions the JSESSIONID's generated were not duplicated. On 4 Nov 2010, at 12:08, David Porcello wrote:
The format of the JSESSIONID value may give you a clue as to the app server that generated it. Some examples are listed in the OWASP cookie database: http://www.owasp.org/index.php/Category:OWASP_Cookies_Database From personal experience I can tell you that IBM WebSphere JSESSION IDs are *massively* unique, based on about 1000 samples run through WebScarab: http://www.owasp.org/index.php/How_to_test_session_identifier_strength_with_WebScarab -----Original Message----- From: pauldotcom-bounces () mail pauldotcom com [mailto:pauldotcom-bounces () mail pauldotcom com] On Behalf Of k41zen Me Sent: Wednesday, November 03, 2010 2:51 PM To: PaulDotCom Security Weekly Mailing List Subject: Re: [Pauldotcom] Session management So the only cookie (JESSIONID) sent is by Firefox right from the very first GET request and this never changes. Could it be using this one? I would expect a new cookie after auth but there isn't one. The server doesn't send anything. I've read a bit around the JESSIONID cookie and how it differs from IE to Firefox and tabbed pages. If it is using this how are they generated? How unique are they? On 3 Nov 2010, at 14:21, Jim Halfpenny wrote:IP authentication is one possible method I've seen in some VOIP devices. Once you send your credentials all requests from your IP are authorised as that user. It could also be taking an existing cookie set when you first visit and reusing this as your authentication token. Are there any other cookies set by this server? Jim On 2 November 2010 21:09, k41zen Me <k41zen () me com> wrote:I'm struggling to see any session management taking place between the browser (Firefox) and a Tomcat app. The server returns no "Set-Cookie" header, there's no session info contained within the URL, the browser isn't sending auth with each request and I can't see any data within the requests that could be providing session info. Is there some other way this could be provided? _______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com_______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com_______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com NOTICE: The information contained in this e-mail and any attachments is intended solely for the recipient(s) named above, and may be confidential and legally privileged. If you received this e-mail in error, please notify the sender immediately by return e-mail and delete the original message and any copy of it from your computer system. If you are not the intended recipient, you are hereby notified that any review, disclosure, retransmission, dissemination, distribution, copying, or other use of this e-mail, or any of its contents, is strictly prohibited. Although this e-mail and any attachments are believed to be free of any virus or other defects, it is the responsibility of the recipient to ensure that it is virus-free and no responsibility is accepted by the sender for any loss or damage arising if such a virus or defect exists. _______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
_______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
Current thread:
- Session management k41zen Me (Nov 03)
- Re: Session management Jim Halfpenny (Nov 03)
- Re: Session management k41zen Me (Nov 03)
- Re: Session management Jim Halfpenny (Nov 04)
- Re: Session management David Porcello (Nov 04)
- Re: Session management k41zen Me (Nov 05)
- Re: Session management Jim Halfpenny (Nov 05)
- Re: Session management Butturini, Russell (Nov 05)
- Re: Session management k41zen Me (Nov 03)
- Re: Session management Jim Halfpenny (Nov 03)