PaulDotCom mailing list archives
Re: Session management
From: "Butturini, Russell" <Russell.Butturini () Healthways com>
Date: Thu, 4 Nov 2010 08:26:55 -0500
Depending on the backend authentication mechanisms, it may be possible to track IP address that JSESSIONID was issued to (I think the last time I've seen it done was with Oracle Identity Manager). Other than that, I personally have seen Websphere run without any JSESSIONID validation, and yes it is HIGHLY possible to take over an existing authenticated sessions. -----Original Message----- From: pauldotcom-bounces () mail pauldotcom com [mailto:pauldotcom-bounces () mail pauldotcom com] On Behalf Of David Porcello Sent: Thursday, November 04, 2010 7:08 AM To: 'PaulDotCom Security Weekly Mailing List' Subject: Re: [Pauldotcom] Session management The format of the JSESSIONID value may give you a clue as to the app server that generated it. Some examples are listed in the OWASP cookie database: http://www.owasp.org/index.php/Category:OWASP_Cookies_Database
From personal experience I can tell you that IBM WebSphere JSESSION IDs are *massively* unique, based on about 1000 samples run through WebScarab:
http://www.owasp.org/index.php/How_to_test_session_identifier_strength_with_WebScarab -----Original Message----- From: pauldotcom-bounces () mail pauldotcom com [mailto:pauldotcom-bounces () mail pauldotcom com] On Behalf Of k41zen Me Sent: Wednesday, November 03, 2010 2:51 PM To: PaulDotCom Security Weekly Mailing List Subject: Re: [Pauldotcom] Session management So the only cookie (JESSIONID) sent is by Firefox right from the very first GET request and this never changes. Could it be using this one? I would expect a new cookie after auth but there isn't one. The server doesn't send anything. I've read a bit around the JESSIONID cookie and how it differs from IE to Firefox and tabbed pages. If it is using this how are they generated? How unique are they? On 3 Nov 2010, at 14:21, Jim Halfpenny wrote:
IP authentication is one possible method I've seen in some VOIP devices. Once you send your credentials all requests from your IP are authorised as that user. It could also be taking an existing cookie set when you first visit and reusing this as your authentication token. Are there any other cookies set by this server? Jim On 2 November 2010 21:09, k41zen Me <k41zen () me com> wrote:I'm struggling to see any session management taking place between the browser (Firefox) and a Tomcat app. The server returns no "Set-Cookie" header, there's no session info contained within the URL, the browser isn't sending auth with each request and I can't see any data within the requests that could be providing session info. Is there some other way this could be provided? _______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com_______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
_______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com NOTICE: The information contained in this e-mail and any attachments is intended solely for the recipient(s) named above, and may be confidential and legally privileged. If you received this e-mail in error, please notify the sender immediately by return e-mail and delete the original message and any copy of it from your computer system. If you are not the intended recipient, you are hereby notified that any review, disclosure, retransmission, dissemination, distribution, copying, or other use of this e-mail, or any of its contents, is strictly prohibited. Although this e-mail and any attachments are believed to be free of any virus or other defects, it is the responsibility of the recipient to ensure that it is virus-free and no responsibility is accepted by the sender for any loss or damage arising if such a virus or defect exists. _______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com ****************************************************************************** This email contains confidential and proprietary information and is not to be used or disclosed to anyone other than the named recipient of this email, and is to be used only for the intended purpose of this communication. ****************************************************************************** _______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
Current thread:
- Session management k41zen Me (Nov 03)
- Re: Session management Jim Halfpenny (Nov 03)
- Re: Session management k41zen Me (Nov 03)
- Re: Session management Jim Halfpenny (Nov 04)
- Re: Session management David Porcello (Nov 04)
- Re: Session management k41zen Me (Nov 05)
- Re: Session management Jim Halfpenny (Nov 05)
- Re: Session management Butturini, Russell (Nov 05)
- Re: Session management k41zen Me (Nov 03)
- Re: Session management Jim Halfpenny (Nov 03)