Vulnerability Development mailing list archives

RE: CSS, CSS & let me give you some more CSS

From: <info () elitesoft org>
Date: Fri, 1 Feb 2002 11:08:59 -0500

If you use IP address for session cookie attacker can't use 
stolen cookie.
However, you can't use IP address when BGP or Proxy are used.
In this case the best protection is to change session cookie 
for each transaction using transaction counter.
This will provide a transaction non-repudiation.
If such session cookie is stolen and used by a hacker prior 
to a user, then user session will be blown away.

Mike

Current thread:

RE: CSS, CSS & let me give you some more CSS Obscure (Jan 31)
- <Possible follow-ups>
- RE: CSS, CSS & let me give you some more CSS info (Feb 01)
  - Re: CSS, CSS & let me give you some more CSS Bill Pennington (Feb 01)
- Re: CSS, CSS & let me give you some more CSS E M (Feb 01)
  - Re: CSS, CSS & let me give you some more CSS Sverre H. Huseby (Feb 01)
  - New thoughts on CSS Brett Moore (Feb 01)
    - RE: New thoughts on CSS Matt Dickinson (Feb 01)
    - RE: New thoughts on CSS jon schatz (Feb 01)
    - Re: New thoughts on CSS Blue Boar (Feb 01)
    - Re: New thoughts on CSS Jonas M Luster (Feb 03)
    - RE: New thoughts on CSS other (Feb 02)
  - Re: CSS, CSS & let me give you some more CSS Blake Frantz (Feb 01)

(Thread continues...)