Vulnerability Development mailing list archives
Re: Web session tracking security prob. Vulnerable: IIS and ColdF usion (maybe others)
From: Ben Ford <bford () erisksecurity com>
Date: Thu, 30 Aug 2001 14:51:55 -0700
Keith.Morgan wrote:
I've always had a problem with using cookies or session variables for authentication mechanisms. These rely on client-side output. Session variables in IIS are really just temporary cookies. I could get into a whole rant about "best practices" regarding cookies, session auth etc... butthat's not really the purpose of my reply.What I really want to know is, how does apache deal with cookies, sessions, etc... Has anyone tested to see if apache will accept user supplied cookie values?
Well, sure it would. But Apache is not an application server, it is only a web server. Apache doesn't care what GPC values you set, it only passes them on to whatever application you are running.
-b -- #===================================================================# # More dead people have written in support of Microsoft against the # # DOJ than any other single group, leading UMSA (United MS Shills # # of America) President Steve Barkto to lodge a formal complaint. # #===================================================================#
Current thread:
- RE: Web session tracking security prob. Vulnerable: IIS and ColdF usion (maybe others) Keith.Morgan (Aug 30)
- Re: Web session tracking security prob. Vulnerable: IIS and ColdF usion (maybe others) Ben Ford (Aug 30)
- <Possible follow-ups>
- RE: Web session tracking security prob. Vulnerable: IIS and ColdF usion (maybe others) Hicks, John (Aug 30)