Penetration Testing mailing list archives

Re: [PEN-TEST] HTTP Secure Session State Management

From: Dom De Vitto <dom () DEVITTO COM>
Date: Wed, 27 Dec 2000 23:02:10 -0000

Can we step back a little, I'll try and recap:

A) There are a few mechanisms for holding session Ids:
        + Cookies
        + Embedded-urls (Id in the GET query)
        + Embedded hidden form fields (Id in the POST values)
any others?

B) Session ids should be a random & unique (per database), and relate to session data on the server.  It is a bad idea 
to use the 'session id' to be or hold anything else as this would allow for reverse engineering of (partially) valid 
session ids, presumebly reducing the brute-force space if the non-random part is predictable.

Right?

What else?

Dom

Current thread:

Re: [PEN-TEST] HTTP Secure Session State Management, (continued)
- - Re: [PEN-TEST] HTTP Secure Session State Management Robert van der Meulen (Dec 23)
    - Re: [PEN-TEST] HTTP Secure Session State Management Mark Curphey (Dec 26)
    - Re: [PEN-TEST] HTTP Secure Session State Management Drew Simonis (Dec 26)
    - Re: [PEN-TEST] HTTP Secure Session State Management George Capehart (Dec 27)
  - Re: [PEN-TEST] HTTP Secure Session State Management Mark Curphey (Dec 26)
    - Re: [PEN-TEST] HTTP Secure Session State Management Drew Simonis (Dec 27)
- Re: [PEN-TEST] HTTP Secure Session State Management Bill Reamy (Dec 26)
  - Re: [PEN-TEST] HTTP Secure Session State Management Mark Curphey (Dec 27)
  - Re: [PEN-TEST] HTTP Secure Session State Management Robert van der Meulen (Dec 27)
- Re: [PEN-TEST] HTTP Secure Session State Management Yonatan Bokovza (Dec 27)
  - Re: [PEN-TEST] HTTP Secure Session State Management Dom De Vitto (Dec 27)
    - Re: [PEN-TEST] HTTP Secure Session State Management Ian Charnas (Dec 27)
- Re: [PEN-TEST] HTTP Secure Session State Management St. Clair, James (Dec 27)
- Re: [PEN-TEST] HTTP Secure Session State Management Edwards, David (JTD) (Dec 27)
  - Re: [PEN-TEST] HTTP Secure Session State Management Drew Simonis (Dec 28)
    - Re: [PEN-TEST] HTTP Secure Session State Management van der Kooij, Hugo (Dec 28)
    - Re: [PEN-TEST] HTTP Secure Session State Management Thomas Reinke (Dec 28)
    - Re: [PEN-TEST] HTTP Secure Session State Management Matt W. (Dec 28)
    - Re: [PEN-TEST] HTTP Secure Session State Management Drew Simonis (Dec 28)