Re: [PEN-TEST] HTTP Secure Session State Management

[Drew Simonis <simonis () myself com>]

Mark Curphey wrote:
> Right but how do you pass that session ID, i.e. what mechanism ?

I think we are confusing, or I guess intermingling, two different
points.  We have two things to accomplish here. We want to use an
identifier to maintain state.  This can be done in one of three
ways:  a hidden form field, appending to the URI or using a cookie.

Thats it.  As far as I know, there are no other ways (universal
ways, that is) to maintain state with a CGI type application.
All three of these are vulnerable to a replay attack, all three
can be sniffed, all three can be compromised.  IMO, they are
generally equal in terms of security, or lack thereof.  If anyone
has a reason that I am wrong, I'd be happy to learn, but in my
experience, that statement holds true.

The second task is to decide _what_ information to use to maintain
state, and how you generate that information.  This is the real
concern, not how it is transmitted across the network (encryption
issues aside, I'm only talking about the three methods earlier
mentioned)  Earlier I mentioned that I like to make sure that the
session id is as random as possible, cannot be re-used and cannot
identify a user uniquely.  My example was that of an MD5 hash
of several unique items.  I still think this is the best idea.

As for the means of transmittal (hidden field, cookie, appended URI)
I don't think it really matters, from a security view, save for the
occasion where the id might be logged to a site later visited.

my .02