Penetration Testing mailing list archives
Re: [PEN-TEST] HTTP Secure Session State Management
From: Mark Curphey <mark () CURPHEY COM>
Date: Sun, 24 Dec 2000 09:10:47 -0800
Right but how do you pass that session ID, i.e. what mechanism ? -----Original Message----- From: Penetration Testers [mailto:PEN-TEST () SECURITYFOCUS COM]On Behalf Of Drew Simonis Sent: Saturday, December 23, 2000 12:34 PM To: PEN-TEST () SECURITYFOCUS COM Subject: Re: [PEN-TEST] HTTP Secure Session State Management [I don't really see how this is on topic, but I'll do the benefit of] [the doubt thing and let the moderator decide... ] Mark Curphey wrote:
Apart from RFC 2965 (cookies) what other methods are available to
developers
to manage sessions securely; i.e. authenticate each session in a
transaction
? Is a decorated URL a better option ?
Placing the credential material in the URL is another way, yes. Is it better? To answer that, we would really need to know in what way you mean better. For example, you can use encrypted cookies, making life for an attacker a bit more difficult, while this same option is obviously not available for a GET. For the concerns of function, cookies are often not the way to go, since many users disable them and many filters deny them. They just aren't reliable enough. My prefered method is to store the important information on the server, either in a database or a unique file. The only info I pass between the server and the client is the unique identifier (session id) which I do my best to make as random as possible. Something like an MD5 hash is pretty good for this. Perhaps a hash of the user's first and last name, address and the record ID. HTH
Current thread:
- Re: [PEN-TEST] HTTP Secure Session State Management, (continued)
- Re: [PEN-TEST] HTTP Secure Session State Management Bennett Todd (Dec 27)
- Re: [PEN-TEST] HTTP Secure Session State Management Philip Stoev (Dec 26)
- Re: [PEN-TEST] HTTP Secure Session State Management Thomas Reinke (Dec 26)
- Re: [PEN-TEST] HTTP Secure Session State Management Philip Stoev (Dec 27)
- Re: [PEN-TEST] HTTP Secure Session State Management van der Kooij, Hugo (Dec 27)
- Re: [PEN-TEST] HTTP Secure Session State Management Drew Simonis (Dec 23)
- Re: [PEN-TEST] HTTP Secure Session State Management Robert van der Meulen (Dec 23)
- Re: [PEN-TEST] HTTP Secure Session State Management Mark Curphey (Dec 26)
- Re: [PEN-TEST] HTTP Secure Session State Management Drew Simonis (Dec 26)
- Re: [PEN-TEST] HTTP Secure Session State Management George Capehart (Dec 27)
- Re: [PEN-TEST] HTTP Secure Session State Management Robert van der Meulen (Dec 23)
- Re: [PEN-TEST] HTTP Secure Session State Management Drew Simonis (Dec 27)
- Re: [PEN-TEST] HTTP Secure Session State Management Mark Curphey (Dec 27)
- Re: [PEN-TEST] HTTP Secure Session State Management Robert van der Meulen (Dec 27)
- Re: [PEN-TEST] HTTP Secure Session State Management Dom De Vitto (Dec 27)
- Re: [PEN-TEST] HTTP Secure Session State Management Ian Charnas (Dec 27)
- Re: [PEN-TEST] HTTP Secure Session State Management Drew Simonis (Dec 28)