Penetration Testing mailing list archives
Re: [PEN-TEST] HTTP Secure Session State Management
From: Dom De Vitto <dom () DEVITTO COM>
Date: Wed, 27 Dec 2000 23:02:10 -0000
Can we step back a little, I'll try and recap: A) There are a few mechanisms for holding session Ids: + Cookies + Embedded-urls (Id in the GET query) + Embedded hidden form fields (Id in the POST values) any others? B) Session ids should be a random & unique (per database), and relate to session data on the server. It is a bad idea to use the 'session id' to be or hold anything else as this would allow for reverse engineering of (partially) valid session ids, presumebly reducing the brute-force space if the non-random part is predictable. Right? What else? Dom
Current thread:
- Re: [PEN-TEST] HTTP Secure Session State Management, (continued)
- Re: [PEN-TEST] HTTP Secure Session State Management Robert van der Meulen (Dec 23)
- Re: [PEN-TEST] HTTP Secure Session State Management Mark Curphey (Dec 26)
- Re: [PEN-TEST] HTTP Secure Session State Management Drew Simonis (Dec 26)
- Re: [PEN-TEST] HTTP Secure Session State Management George Capehart (Dec 27)
- Re: [PEN-TEST] HTTP Secure Session State Management Robert van der Meulen (Dec 23)
- Re: [PEN-TEST] HTTP Secure Session State Management Mark Curphey (Dec 26)
- Re: [PEN-TEST] HTTP Secure Session State Management Drew Simonis (Dec 27)
- Re: [PEN-TEST] HTTP Secure Session State Management Mark Curphey (Dec 27)
- Re: [PEN-TEST] HTTP Secure Session State Management Robert van der Meulen (Dec 27)
- Re: [PEN-TEST] HTTP Secure Session State Management Dom De Vitto (Dec 27)
- Re: [PEN-TEST] HTTP Secure Session State Management Ian Charnas (Dec 27)
- Re: [PEN-TEST] HTTP Secure Session State Management Drew Simonis (Dec 28)
- Re: [PEN-TEST] HTTP Secure Session State Management van der Kooij, Hugo (Dec 28)
- Re: [PEN-TEST] HTTP Secure Session State Management Thomas Reinke (Dec 28)
- Re: [PEN-TEST] HTTP Secure Session State Management Matt W. (Dec 28)
- Re: [PEN-TEST] HTTP Secure Session State Management Drew Simonis (Dec 28)