Penetration Testing mailing list archives

Re: [PEN-TEST] HTTP Secure Session State Management

From: Olle Segerdahl <olle () ENVY2 NXS SE>
Date: Wed, 27 Dec 2000 15:24:40 +0100

On Tue, Dec 26, 2000 at 09:12:44PM +0100, van der Kooij, Hugo wrote:


The cookie should be computed from information like:
 - username
 - password
 - client IP
 - date/time
 - Some more magic
 - expire date/time

So this results in a key that is set by the server and used by the client
to cache username/password authentication for a short while. (You don't
want to type it 5 times per page with one-time passwords.)


This is something you see very often, people who think the cookie has to be
"computed" to be a valid security token... I do not agree.

The token given to the client to "cache authentication credentials"
should (IMHO) be a pseudo-random value that has no association with the
actual client information and authentication credentials.

These values you propose to "compute" the cookie from should be stored in
the session entry of the server and not the token value itself...

Can someone explain to me the benefits of Hugo's aproach vs. a pseudo-random
value as a token?

/olle

Current thread:

[PEN-TEST] HTTP Secure Session State Management Mark Curphey (Dec 23)
- Re: [PEN-TEST] HTTP Secure Session State Management van der Kooij, Hugo (Dec 23)
  - Re: [PEN-TEST] HTTP Secure Session State Management Mark Curphey (Dec 26)
    - Re: [PEN-TEST] HTTP Secure Session State Management van der Kooij, Hugo (Dec 26)
    - Re: [PEN-TEST] HTTP Secure Session State Management Mark Curphey (Dec 27)
    - Re: [PEN-TEST] HTTP Secure Session State Management Anonymous (Dec 27)
    - Re: [PEN-TEST] HTTP Secure Session State Management Olle Segerdahl (Dec 27)
    - Re: [PEN-TEST] HTTP Secure Session State Management Robert van der Meulen (Dec 27)
    - Re: [PEN-TEST] HTTP Secure Session State Management Bennett Todd (Dec 27)
  - Re: [PEN-TEST] HTTP Secure Session State Management Philip Stoev (Dec 26)
    - Re: [PEN-TEST] HTTP Secure Session State Management Thomas Reinke (Dec 26)
    - Re: [PEN-TEST] HTTP Secure Session State Management Philip Stoev (Dec 27)
    - Re: [PEN-TEST] HTTP Secure Session State Management van der Kooij, Hugo (Dec 27)
- Re: [PEN-TEST] HTTP Secure Session State Management Drew Simonis (Dec 23)
  - Re: [PEN-TEST] HTTP Secure Session State Management Robert van der Meulen (Dec 23)
    - Re: [PEN-TEST] HTTP Secure Session State Management Mark Curphey (Dec 26)
    - Re: [PEN-TEST] HTTP Secure Session State Management Drew Simonis (Dec 26)

(Thread continues...)