Penetration Testing mailing list archives
Re: [PEN-TEST] HTTP Secure Session State Management
From: Olle Segerdahl <olle () ENVY2 NXS SE>
Date: Wed, 27 Dec 2000 15:24:40 +0100
On Tue, Dec 26, 2000 at 09:12:44PM +0100, van der Kooij, Hugo wrote:
The cookie should be computed from information like: - username - password - client IP - date/time - Some more magic - expire date/time So this results in a key that is set by the server and used by the client to cache username/password authentication for a short while. (You don't want to type it 5 times per page with one-time passwords.)
This is something you see very often, people who think the cookie has to be "computed" to be a valid security token... I do not agree. The token given to the client to "cache authentication credentials" should (IMHO) be a pseudo-random value that has no association with the actual client information and authentication credentials. These values you propose to "compute" the cookie from should be stored in the session entry of the server and not the token value itself... Can someone explain to me the benefits of Hugo's aproach vs. a pseudo-random value as a token? /olle
Current thread:
- [PEN-TEST] HTTP Secure Session State Management Mark Curphey (Dec 23)
- Re: [PEN-TEST] HTTP Secure Session State Management van der Kooij, Hugo (Dec 23)
- Re: [PEN-TEST] HTTP Secure Session State Management Mark Curphey (Dec 26)
- Re: [PEN-TEST] HTTP Secure Session State Management van der Kooij, Hugo (Dec 26)
- Re: [PEN-TEST] HTTP Secure Session State Management Mark Curphey (Dec 27)
- Re: [PEN-TEST] HTTP Secure Session State Management Anonymous (Dec 27)
- Re: [PEN-TEST] HTTP Secure Session State Management Olle Segerdahl (Dec 27)
- Re: [PEN-TEST] HTTP Secure Session State Management Robert van der Meulen (Dec 27)
- Re: [PEN-TEST] HTTP Secure Session State Management Bennett Todd (Dec 27)
- Re: [PEN-TEST] HTTP Secure Session State Management Mark Curphey (Dec 26)
- Re: [PEN-TEST] HTTP Secure Session State Management van der Kooij, Hugo (Dec 23)
- Re: [PEN-TEST] HTTP Secure Session State Management Thomas Reinke (Dec 26)
- Re: [PEN-TEST] HTTP Secure Session State Management Philip Stoev (Dec 27)
- Re: [PEN-TEST] HTTP Secure Session State Management van der Kooij, Hugo (Dec 27)
- Re: [PEN-TEST] HTTP Secure Session State Management Robert van der Meulen (Dec 23)
- Re: [PEN-TEST] HTTP Secure Session State Management Mark Curphey (Dec 26)
- Re: [PEN-TEST] HTTP Secure Session State Management Drew Simonis (Dec 26)