RE: Regeneration of Session Tokens (from the OWASP Guide)

[Pilon Mntry <pilonmntry () yahoo com>]

Mark,

> Basically what you are
> talking about is using XSS or
> something like it as a form of session fixation. 

Actually I was talking about session hijacking, but I
guess you meant that too. :)

> I have never agreed with the OWASP guide or similar
> recommendations by
> others to regenerate tokens. 

I am sure you would I agree that regenerating
sessionids after privilege changes (such as
successfull logins and logouts) is helpful.

> transaction, you can simply invalidate the current
> session and force the
> user to login as part of the transaction.

And I believe your saying is very close to my
alternative solution of prompting user for a another
password before the transaction and session
regeneration takes place.

-pilon

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

-------------------------------------------------------------------------
Sponsored by: Watchfire

The Twelve Most Common Application-level Hack Attacks
Hackers continue to add billions to the cost of doing business online 
despite security executives' efforts to prevent malicious attacks. This 
whitepaper identifies the most common methods of attacks that we have seen, 
and outlines a guideline for developing secure web applications. 
Download this whitepaper today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701300000007t9r
--------------------------------------------------------------------------