Re: Web session tracking security prob. Vulnerable: IIS and ColdF usion (maybe others)

[Ben Ford <bford () erisksecurity com>]

Keith.Morgan wrote:

> I've always had a problem with using cookies or session variables for
> authentication mechanisms.  These rely on client-side output.  Session
> variables in IIS are really just temporary cookies.  I could get into a
> whole rant about "best practices" regarding cookies, session auth etc... but
> that's not really the purpose of my reply.  
>
> What I really want to know is, how does apache deal with cookies, sessions,
> etc...  Has anyone tested to see if apache will accept user supplied cookie
> values?

Well, sure it would.  But Apache is not an application server, it is 
only a web server.  Apache doesn't care what GPC values you set, it only 
passes them on to whatever application you are running.

-b

--
#===================================================================#
# More dead people have written in support of Microsoft against the #
# DOJ than any other single group, leading UMSA (United MS Shills   #
# of America) President Steve Barkto to lodge a formal complaint.   #
#===================================================================#