Penetration Testing mailing list archives
Re: [PEN-TEST] HTTP Secure Session State Management
From: Drew Simonis <simonis () myself com>
Date: Wed, 27 Dec 2000 19:08:13 -0500
Mark Curphey wrote:
Right but how do you pass that session ID, i.e. what mechanism ?
I think we are confusing, or I guess intermingling, two different points. We have two things to accomplish here. We want to use an identifier to maintain state. This can be done in one of three ways: a hidden form field, appending to the URI or using a cookie. Thats it. As far as I know, there are no other ways (universal ways, that is) to maintain state with a CGI type application. All three of these are vulnerable to a replay attack, all three can be sniffed, all three can be compromised. IMO, they are generally equal in terms of security, or lack thereof. If anyone has a reason that I am wrong, I'd be happy to learn, but in my experience, that statement holds true. The second task is to decide _what_ information to use to maintain state, and how you generate that information. This is the real concern, not how it is transmitted across the network (encryption issues aside, I'm only talking about the three methods earlier mentioned) Earlier I mentioned that I like to make sure that the session id is as random as possible, cannot be re-used and cannot identify a user uniquely. My example was that of an MD5 hash of several unique items. I still think this is the best idea. As for the means of transmittal (hidden field, cookie, appended URI) I don't think it really matters, from a security view, save for the occasion where the id might be logged to a site later visited. my .02
Current thread:
- Re: [PEN-TEST] HTTP Secure Session State Management, (continued)
- Re: [PEN-TEST] HTTP Secure Session State Management Philip Stoev (Dec 26)
- Re: [PEN-TEST] HTTP Secure Session State Management Thomas Reinke (Dec 26)
- Re: [PEN-TEST] HTTP Secure Session State Management Philip Stoev (Dec 27)
- Re: [PEN-TEST] HTTP Secure Session State Management van der Kooij, Hugo (Dec 27)
- Re: [PEN-TEST] HTTP Secure Session State Management Philip Stoev (Dec 26)
- Re: [PEN-TEST] HTTP Secure Session State Management Drew Simonis (Dec 23)
- Re: [PEN-TEST] HTTP Secure Session State Management Robert van der Meulen (Dec 23)
- Re: [PEN-TEST] HTTP Secure Session State Management Mark Curphey (Dec 26)
- Re: [PEN-TEST] HTTP Secure Session State Management Drew Simonis (Dec 26)
- Re: [PEN-TEST] HTTP Secure Session State Management George Capehart (Dec 27)
- Re: [PEN-TEST] HTTP Secure Session State Management Robert van der Meulen (Dec 23)
- Re: [PEN-TEST] HTTP Secure Session State Management Drew Simonis (Dec 27)
- Re: [PEN-TEST] HTTP Secure Session State Management Mark Curphey (Dec 27)
- Re: [PEN-TEST] HTTP Secure Session State Management Robert van der Meulen (Dec 27)
- Re: [PEN-TEST] HTTP Secure Session State Management Dom De Vitto (Dec 27)
- Re: [PEN-TEST] HTTP Secure Session State Management Ian Charnas (Dec 27)
- Re: [PEN-TEST] HTTP Secure Session State Management Drew Simonis (Dec 28)
- Re: [PEN-TEST] HTTP Secure Session State Management van der Kooij, Hugo (Dec 28)