Penetration Testing mailing list archives

Re: [PEN-TEST] HTTP Secure Session State Management

From: "van der Kooij, Hugo" <Hugo.van.der.Kooij () CAIW NL>
Date: Tue, 26 Dec 2000 21:12:44 +0100

On Sun, 24 Dec 2000, Mark Curphey wrote:

IMHO - I am not sure how this solves the problem at all of secure session
state. Sure you can set the cookie as a secure cookie (i.e. cant only be
transmitted over https) , but if I am reading you right (and I may not be)
the cookie is still set on the client machine and what ever you set can be
replayed by any user of that machine. I can't see how SSL and token based
authentication adds value here to session management.  All this adds is a
encrypted tunnel to set a cookie.


The cookie should be computed from information like:
 - username
 - password
 - client IP
 - date/time
 - Some more magic
 - expire date/time

So this results in a key that is set by the server and used by the client
to cache username/password authentication for a short while. (You don't
want to type it 5 times per page with one-time passwords.)

Take a look at the mod_auth_radius code to get a grasp of it.

The actual security is still based around the use of one-time passwords.

Hugo.

--
Hugo van der Kooij; Oranje Nassaustraat 16; 3155 VJ  Maasland
hvdkooij () caiw nl     http://home.kabelfoon.nl/~hvdkooij/
--------------------------------------------------------------
This message has not been checked and may contain harmfull content.

Current thread:

[PEN-TEST] HTTP Secure Session State Management Mark Curphey (Dec 23)
- Re: [PEN-TEST] HTTP Secure Session State Management van der Kooij, Hugo (Dec 23)
  - Re: [PEN-TEST] HTTP Secure Session State Management Mark Curphey (Dec 26)
    - Re: [PEN-TEST] HTTP Secure Session State Management van der Kooij, Hugo (Dec 26)
    - Re: [PEN-TEST] HTTP Secure Session State Management Mark Curphey (Dec 27)
    - Re: [PEN-TEST] HTTP Secure Session State Management Anonymous (Dec 27)
    - Re: [PEN-TEST] HTTP Secure Session State Management Olle Segerdahl (Dec 27)
    - Re: [PEN-TEST] HTTP Secure Session State Management Robert van der Meulen (Dec 27)
    - Re: [PEN-TEST] HTTP Secure Session State Management Bennett Todd (Dec 27)
  - Re: [PEN-TEST] HTTP Secure Session State Management Philip Stoev (Dec 26)
    - Re: [PEN-TEST] HTTP Secure Session State Management Thomas Reinke (Dec 26)
    - Re: [PEN-TEST] HTTP Secure Session State Management Philip Stoev (Dec 27)
    - Re: [PEN-TEST] HTTP Secure Session State Management van der Kooij, Hugo (Dec 27)
- Re: [PEN-TEST] HTTP Secure Session State Management Drew Simonis (Dec 23)

(Thread continues...)