WebApp Sec mailing list archives
post to bugtraq about "session fixation"
From: Alex Russell <alex () netWindows org>
Date: Wed, 18 Dec 2002 14:13:26 -0600
I don't know if anyone else has seen this yet: http://online.securityfocus.com/archive/1/303838/2002-12-15/2002-12-21/0 but I thought it would be on topic here. I realize that it's something of a rehash of the session authentication discussions we've had before, but I'd like to point out that it does expose a weak property of the "one sessionID for everything" model that's been proposed thust far, which is that it does not allow a interaction with the client to re-instate whatever security may have been previously broken. I think that in earlier discussions, I wasn't able to adequately articulate why I felt that issuing a new nonce for ever privledged operation made more sense (and why, correspondingly, you should never send the "real" session ID along with said nonce), but this article confirms what my gut was telling me: if you guard each action individually and require that there is a continuious line of known good iteractions, you'll be safer in the long run. The paper also points out the folly of assuming that client input is somehow "right" without validating it. Why in the world would an app server ever allow the end user to present to it the session ID that it will use for that client's continued interactions? -- Alex Russell alex () netWindows org alex () SecurePipe com
Current thread:
- post to bugtraq about "session fixation" Alex Russell (Dec 18)
- <Possible follow-ups>
- Re: post to bugtraq about "session fixation" securityarchitect (Dec 18)
- Re: post to bugtraq about "session fixation" Kevin Spett (Dec 18)
- Re: post to bugtraq about "session fixation" Alex Russell (Dec 18)
- Re: post to bugtraq about "session fixation" Kevin Spett (Dec 18)
- Re: post to bugtraq about "session fixation" Panayiotis A. Thermos (Dec 18)
- Re: post to bugtraq about "session fixation" Steven M. Christey (Dec 19)
- Re: post to bugtraq about "session fixation" Cesar (Dec 20)
- Re: post to bugtraq about "session fixation" H D Moore (Dec 20)
- Re: post to bugtraq about "session fixation" Cesar (Dec 20)