WebApp Sec mailing list archives
Re: Hijacking URL Encoded Session IDs using Referer Logs
From: "Jeff Dafoe" <jeff () badtz-maru com>
Date: Mon, 25 Nov 2002 10:01:44 -0500
Many (most?) application servers use URL encoded session IDs when the user has disabled cookies. Many users disable cookies as a security precaution. There should be an advisory on this so that application server vendors stop allowing URL encoded session IDs by default.
If the sessions in a particular app are that easy to hijack then the
security issue is with that and not necessarily with the method used to
transmit the session id. That is why the origin of a request must be
validated when a request is issued against a particular session and it is
also why sessions must be expired in a timely fashion. I think we are
treading old territory here, stuff that was previously covered in past "poor
session handling" advisories and such.
Jeff
Current thread:
- Hijacking URL Encoded Session IDs using Referer Logs Bob Lee (Nov 24)
- Re: Hijacking URL Encoded Session IDs using Referer Logs zeno (Nov 25)
- Re: Hijacking URL Encoded Session IDs using Referer Logs Bob Lee (Nov 25)
- Re: Hijacking URL Encoded Session IDs using Referer Logs Jeff Dafoe (Nov 25)
- Re: Hijacking URL Encoded Session IDs using Referer Logs Bob Lee (Nov 25)
- Re: Hijacking URL Encoded Session IDs using Referer Logs Jeff Dafoe (Nov 25)
- Re: Hijacking URL Encoded Session IDs using Referer Logs Bob Lee (Nov 25)
- Re: Hijacking URL Encoded Session IDs using Referer Logs Bob Lee (Nov 25)
- Re: Hijacking URL Encoded Session IDs using Referer Logs zeno (Nov 25)
- Re: Hijacking URL Encoded Session IDs using Referer Logs zeno (Nov 25)
- <Possible follow-ups>
- Re: Hijacking URL Encoded Session IDs using Referer Logs ONEILL David J (Nov 25)
- Re: Hijacking URL Encoded Session IDs using Referer Logs Craig_Sullivan (Nov 25)
- Re: Hijacking URL Encoded Session IDs using Referer Logs UDP 53 (Dec 05)