WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Cookie stealing and replay in a corporate single sign on environment

From: Ivan Ristic <ivan.ristic () gmail com>
Date: Wed, 15 Jun 2005 14:09:04 +0100
On 6/15/05, Cyrill Osterwalder <cyrill.osterwalder () seclutions com> wrote:


The way you describe your SSO environment I think that the SSL session ID
would solve your problems.


Wouldn't that approach work only if there is a single SSL server and
thus only one SSL session ID per cookie? In a typical SSO scenario
there are many web servers and thus many SSL session IDs used by the
same user. What happens if someone steals a cookie and uses it in a
request that establishes a new SSL session with a server that has not
seen that cookie yet?

The only solution where I can see this approach working (for SSO
deployments) is where a reverse proxy is used to terminate SSL and map
all the web servers into a single domain space at the same time. This
would ensure that only one SSL connection per user is used, and allow
for correlation between a cookie and its SSL session ID.

-- 
Ivan Ristic
Apache Security (O'Reilly) - http://www.apachesecurity.net
Open source web application firewall - http://www.modsecurity.org
Previous By Date Next
Previous By Thread Next

Current thread: