Penetration Testing mailing list archives
Re: [PEN-TEST] HTTP Secure Session State Management
From: "van der Kooij, Hugo" <Hugo.van.der.Kooij () CAIW NL>
Date: Tue, 26 Dec 2000 21:12:44 +0100
On Sun, 24 Dec 2000, Mark Curphey wrote:
IMHO - I am not sure how this solves the problem at all of secure session state. Sure you can set the cookie as a secure cookie (i.e. cant only be transmitted over https) , but if I am reading you right (and I may not be) the cookie is still set on the client machine and what ever you set can be replayed by any user of that machine. I can't see how SSL and token based authentication adds value here to session management. All this adds is a encrypted tunnel to set a cookie.
The cookie should be computed from information like: - username - password - client IP - date/time - Some more magic - expire date/time So this results in a key that is set by the server and used by the client to cache username/password authentication for a short while. (You don't want to type it 5 times per page with one-time passwords.) Take a look at the mod_auth_radius code to get a grasp of it. The actual security is still based around the use of one-time passwords. Hugo. -- Hugo van der Kooij; Oranje Nassaustraat 16; 3155 VJ Maasland hvdkooij () caiw nl http://home.kabelfoon.nl/~hvdkooij/ -------------------------------------------------------------- This message has not been checked and may contain harmfull content.
Current thread:
- [PEN-TEST] HTTP Secure Session State Management Mark Curphey (Dec 23)
- Re: [PEN-TEST] HTTP Secure Session State Management van der Kooij, Hugo (Dec 23)
- Re: [PEN-TEST] HTTP Secure Session State Management Mark Curphey (Dec 26)
- Re: [PEN-TEST] HTTP Secure Session State Management van der Kooij, Hugo (Dec 26)
- Re: [PEN-TEST] HTTP Secure Session State Management Mark Curphey (Dec 27)
- Re: [PEN-TEST] HTTP Secure Session State Management Anonymous (Dec 27)
- Re: [PEN-TEST] HTTP Secure Session State Management Olle Segerdahl (Dec 27)
- Re: [PEN-TEST] HTTP Secure Session State Management Robert van der Meulen (Dec 27)
- Re: [PEN-TEST] HTTP Secure Session State Management Bennett Todd (Dec 27)
- Re: [PEN-TEST] HTTP Secure Session State Management Mark Curphey (Dec 26)
- Re: [PEN-TEST] HTTP Secure Session State Management van der Kooij, Hugo (Dec 23)
- Re: [PEN-TEST] HTTP Secure Session State Management Thomas Reinke (Dec 26)
- Re: [PEN-TEST] HTTP Secure Session State Management Philip Stoev (Dec 27)
- Re: [PEN-TEST] HTTP Secure Session State Management van der Kooij, Hugo (Dec 27)