WebApp Sec mailing list archives
Re: Session Fixation
From: "HarryM" <harrym () the-group org>
Date: Tue, 1 Apr 2003 00:28:18 +0100
Actually, I think suggesting to anyone that they invest in half-measures when their time can be better spent elsewhere is even more damaging. On
the
one hand, I can see your argument: it raises the bar ever so slightly, which is a good thing. But I don't think it's a good _enough_ thing. Consider that most people implementing these systems _aren't_ experts.
They
understand IP, they understand networking, but they don't really think about how to break things, so relying on IP seems "good enough". Giving
the
un-informed bad choices and telling them to get it right is a receipe for disaster if ever I've seen one.
One should never rely on IP for *anything* :-) I agree, except to say that I wouldn't consider it "investing in half measures" - at least, not the way I've coded it - since (a) it's one small measure among many other precautions taken (tamper-proof cookies, detection of scripted attacks, input validation, account lockouts, and so on) and (b), at ~5 lines of code, it's not much of an investment! I very much agree that it should be made known to as many people as possible that IP, in the context of web services, is unreliable as a means of identification, as silly as that may sound to the uninitiated, and that it should never be depended on for anything - least of all security. HarryM
Current thread:
- Session Fixation St. Clair, James (Mar 25)
- Re: Session Fixation Gary Gwin (Mar 27)
- <Possible follow-ups>
- RE: Session Fixation Mark Mcdonald (Mar 27)
- RE: Session Fixation Information Security (Mar 31)
- Re: Session Fixation Alex Russell (Mar 31)
- Re: Session Fixation HarryM (Mar 31)
- Re: Session Fixation Alex Russell (Mar 31)
- Re: Session Fixation HarryM (Mar 31)
- Re: Session Fixation Alex Russell (Mar 31)
- Re: Session Fixation Alex Russell (Mar 31)