WebApp Sec mailing list archives
Re: Hijacking URL Encoded Session IDs using Referer Logs
From: Craig_Sullivan () Waitrose co uk
Date: Mon, 25 Nov 2002 15:45:46 +0000
Hmmm,
I've long advocated not allowing session IDs in URLs *unless* they are
supplemented with additional authentication or cookies.
Quite simply, if you encode the security equivalence of the browser in a
URL you are open to:
(a) Replay attacks from the history file
(b) Sniffing attacks
(c) Logfile analysis attacks
(d) Replay of bookmarks/links
The clients I have worked with always rely upon additional information (in
the form of cookies) when verifying the session ID. In addition, many of
them implement systems that employ two separate session tracking systems -
one for the general state management issue and the second for the business
of checking 'that this was the same browser instance that authenticated
itself earlier in the session and not somebody else'. All use of the
second state management system is encrypted.......
I've developed a system called the '3 cookie' tracking system but it won't
work without cookies being enabled. Quite frankly, if cookies aren't
enabled, I can't provide a secure mechanism for my clients to handle
verification of identity along with a state management system. It is worth
mentioning that in several months use of such a system, there were a
minimal number of 'no we don't do cookies' systems that arrived on the
site. I value security more highly than the often touted position of
ensuring that disabled cookie systems can have a fallback.
My fallback is to ensure it doesn't work but at least highlights this to
the visitor.
Craig.
*********************************************************************
Notice: This email is confidential and may contain
copyright material of the John Lewis Partnership.
If you are not the intended recipient, please
notify us immediately and delete all copies of this
message. (Please note that it is your responsibility
to scan this message for viruses).
*********************************************************************
John Lewis plc Registered in England 233462
Registered office 171 Victoria Street London SW1E 5NN
Websites: http://www.johnlewis.com and http://www.waitrose.com
Current thread:
- Hijacking URL Encoded Session IDs using Referer Logs Bob Lee (Nov 24)
- Re: Hijacking URL Encoded Session IDs using Referer Logs zeno (Nov 25)
- Re: Hijacking URL Encoded Session IDs using Referer Logs Bob Lee (Nov 25)
- Re: Hijacking URL Encoded Session IDs using Referer Logs Jeff Dafoe (Nov 25)
- Re: Hijacking URL Encoded Session IDs using Referer Logs Bob Lee (Nov 25)
- Re: Hijacking URL Encoded Session IDs using Referer Logs Jeff Dafoe (Nov 25)
- Re: Hijacking URL Encoded Session IDs using Referer Logs Bob Lee (Nov 25)
- Re: Hijacking URL Encoded Session IDs using Referer Logs Bob Lee (Nov 25)
- Re: Hijacking URL Encoded Session IDs using Referer Logs zeno (Nov 25)
- Re: Hijacking URL Encoded Session IDs using Referer Logs zeno (Nov 25)
- <Possible follow-ups>
- Re: Hijacking URL Encoded Session IDs using Referer Logs ONEILL David J (Nov 25)
- Re: Hijacking URL Encoded Session IDs using Referer Logs Craig_Sullivan (Nov 25)
- Re: Hijacking URL Encoded Session IDs using Referer Logs UDP 53 (Dec 05)