Penetration Testing mailing list archives
Re: [PEN-TEST] HTTP Secure Session State Management
From: Robert van der Meulen <rvdm () CISTRON NL>
Date: Sun, 24 Dec 2000 04:56:06 +0100
Hi, Quoting Drew Simonis (simonis () myself com):
Apart from RFC 2965 (cookies) what other methods are available to developers to manage sessions securely; i.e. authenticate each session in a transaction ? Is a decorated URL a better option ?Placing the credential material in the URL is another way, yes. Is it better? To answer that, we would really need to know in what way you mean better.
Decorated URLs, containing session ID's, are almost always worse. I hate cookies, so i try to use them as little as possible, but your best bet would be a <INPUT TYPE=hidden .... > tag somewhere. There have been some problems (also mentioned on Bugtraq) with url-embedded session ID's, mainly in webmail clients. If you go to a different (off-site) page, from a page containing 'decorated urls', the URL you came from (referrer) can get logged. An evil admin could mail you a message, with an embedded URL, have you visit his site (from the webmail client), log your session ID, and access your email. This problem is still visible in a lot of web-based systems today. (urls with session IDs are a potential security leak for me - so it's not that offtopic :) ) Greets, Robert -- | rvdm () cistron nl - Cistron Internet Services - www.cistron.nl | | php3/c/perl/html/c++/sed/awk/linux/sql/cgi/security | | My statements are mine, and not necessarily cistron's. | if you remember the 60's, you weren't there.
Current thread:
- Re: [PEN-TEST] HTTP Secure Session State Management, (continued)
- Re: [PEN-TEST] HTTP Secure Session State Management Mark Curphey (Dec 27)
- Re: [PEN-TEST] HTTP Secure Session State Management Anonymous (Dec 27)
- Re: [PEN-TEST] HTTP Secure Session State Management Olle Segerdahl (Dec 27)
- Re: [PEN-TEST] HTTP Secure Session State Management Robert van der Meulen (Dec 27)
- Re: [PEN-TEST] HTTP Secure Session State Management Bennett Todd (Dec 27)
- Re: [PEN-TEST] HTTP Secure Session State Management Philip Stoev (Dec 26)
- Re: [PEN-TEST] HTTP Secure Session State Management Thomas Reinke (Dec 26)
- Re: [PEN-TEST] HTTP Secure Session State Management Philip Stoev (Dec 27)
- Re: [PEN-TEST] HTTP Secure Session State Management van der Kooij, Hugo (Dec 27)
- Re: [PEN-TEST] HTTP Secure Session State Management Robert van der Meulen (Dec 23)
- Re: [PEN-TEST] HTTP Secure Session State Management Mark Curphey (Dec 26)
- Re: [PEN-TEST] HTTP Secure Session State Management Drew Simonis (Dec 26)
- Re: [PEN-TEST] HTTP Secure Session State Management George Capehart (Dec 27)
- Re: [PEN-TEST] HTTP Secure Session State Management Drew Simonis (Dec 27)
- Re: [PEN-TEST] HTTP Secure Session State Management Mark Curphey (Dec 27)
- Re: [PEN-TEST] HTTP Secure Session State Management Robert van der Meulen (Dec 27)
- Re: [PEN-TEST] HTTP Secure Session State Management Dom De Vitto (Dec 27)