WebApp Sec mailing list archives
RE: Regeneration of Session Tokens (from the OWASP Guide)
From: Pilon Mntry <pilonmntry () yahoo com>
Date: Tue, 2 May 2006 23:10:50 -0700 (PDT)
Mark,
Basically what you are talking about is using XSS or something like it as a form of session fixation.
Actually I was talking about session hijacking, but I guess you meant that too. :)
I have never agreed with the OWASP guide or similar recommendations by others to regenerate tokens.
I am sure you would I agree that regenerating sessionids after privilege changes (such as successfull logins and logouts) is helpful.
transaction, you can simply invalidate the current session and force the user to login as part of the transaction.
And I believe your saying is very close to my alternative solution of prompting user for a another password before the transaction and session regeneration takes place. -pilon __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ------------------------------------------------------------------------- Sponsored by: Watchfire The Twelve Most Common Application-level Hack Attacks Hackers continue to add billions to the cost of doing business online despite security executives' efforts to prevent malicious attacks. This whitepaper identifies the most common methods of attacks that we have seen, and outlines a guideline for developing secure web applications. Download this whitepaper today! https://www.watchfire.com/securearea/whitepapers.aspx?id=701300000007t9r --------------------------------------------------------------------------
Current thread:
- Regeneration of Session Tokens (from the OWASP Guide) Pilon Mntry (May 01)
- RE: Regeneration of Session Tokens (from the OWASP Guide) M. Burnett (May 03)
- RE: Regeneration of Session Tokens (from the OWASP Guide) Pilon Mntry (May 03)
- RE: Regeneration of Session Tokens (from the OWASP Guide) M. Burnett (May 03)