Penetration Testing mailing list archives

Re: [PEN-TEST] HTTP Secure Session State Management

From: Anonymous <nobody () REMAILER CH>
Date: Wed, 27 Dec 2000 20:45:31 -0000

On Tue, Dec 26, 2000 at 06:21:58PM -0800, Mark Curphey wrote:


To me the contents of the cookie payload should be a unique session ID (a
pseudo random string) that is held in a table in the application somewhere,
maybe call it a "state table" and valid this for the session only (i.e.
timeout valued). That should be encrypted with a key that only the
application can encrypt / decrypt.


If the value sent to the client is an opaque, unpredictable value
(e.g., the sha-1 hash of 20 bytes from /dev/random), and all state
is actually maintained on the server side, then there is no need
to encrypt the session id. You may want to sign or mac it, but this
is probably not necessary.

Anyone who can replay the unencrypted opaque identifier can just
as easily replay the encrypted opaque identifier.

Current thread:

[PEN-TEST] HTTP Secure Session State Management Mark Curphey (Dec 23)
- Re: [PEN-TEST] HTTP Secure Session State Management van der Kooij, Hugo (Dec 23)
  - Re: [PEN-TEST] HTTP Secure Session State Management Mark Curphey (Dec 26)
    - Re: [PEN-TEST] HTTP Secure Session State Management van der Kooij, Hugo (Dec 26)
    - Re: [PEN-TEST] HTTP Secure Session State Management Mark Curphey (Dec 27)
    - Re: [PEN-TEST] HTTP Secure Session State Management Anonymous (Dec 27)
    - Re: [PEN-TEST] HTTP Secure Session State Management Olle Segerdahl (Dec 27)
    - Re: [PEN-TEST] HTTP Secure Session State Management Robert van der Meulen (Dec 27)
    - Re: [PEN-TEST] HTTP Secure Session State Management Bennett Todd (Dec 27)
  - Re: [PEN-TEST] HTTP Secure Session State Management Philip Stoev (Dec 26)
    - Re: [PEN-TEST] HTTP Secure Session State Management Thomas Reinke (Dec 26)
    - Re: [PEN-TEST] HTTP Secure Session State Management Philip Stoev (Dec 27)
    - Re: [PEN-TEST] HTTP Secure Session State Management van der Kooij, Hugo (Dec 27)
- Re: [PEN-TEST] HTTP Secure Session State Management Drew Simonis (Dec 23)
  - Re: [PEN-TEST] HTTP Secure Session State Management Robert van der Meulen (Dec 23)
    - Re: [PEN-TEST] HTTP Secure Session State Management Mark Curphey (Dec 26)

(Thread continues...)