Re: [PEN-TEST] HTTP Secure Session State Management

[Mark Curphey <mark () CURPHEY COM>]

IMHO - I am not sure how this solves the problem at all of secure session
state. Sure you can set the cookie as a secure cookie (i.e. cant only be
transmitted over https) , but if I am reading you right (and I may not be)
the cookie is still set on the client machine and what ever you set can be
replayed by any user of that machine. I can't see how SSL and token based
authentication adds value here to session management.  All this adds is a
encrypted tunnel to set a cookie.

-----Original Message-----
From: Penetration Testers [mailto:PEN-TEST () SECURITYFOCUS COM]On Behalf
Of van der Kooij, Hugo
Sent: Saturday, December 23, 2000 4:05 PM
To: PEN-TEST () SECURITYFOCUS COM
Subject: Re: [PEN-TEST] HTTP Secure Session State Management


On Fri, 22 Dec 2000, Mark Curphey wrote:

> Apart from RFC 2965 (cookies) what other methods are available to
developers
> to manage sessions securely; i.e. authenticate each session in a
transaction
> ?
>
> Is a decorated URL  a better option ?

IMHO the best way would to use SSL connections to reduce sniffing. If you
can support client certificates you can use them as well but don't rely on
them purely.

Once you have an encrypted tunnel use user authentication with hardware
tokens like Shiva Access Manager or Ace's Secure Server. (Combine username
+ user password with pin and hardware token reponse for authentication.)

Then you can use cookies to cache the use info for a limited time. (Don't
push it over an hour and make sure you keep them rather secure.)

Beside the client certificates this is how I did create a support server.

Hugo.

--
Hugo van der Kooij; Oranje Nassaustraat 16; 3155 VJ  Maasland
hvdkooij () caiw nl     http://home.kabelfoon.nl/~hvdkooij/
--------------------------------------------------------------
This message has not been checked and may contain harmfull content.