WebApp Sec mailing list archives
Re: How to create (hijacking) secure HTTP sessions?
From: "Nathan Keltner" <shiftnato () gmail com>
Date: Wed, 7 Jun 2006 10:43:00 -0500
On 6/7/06, Michael Decker <MDecker () tesis de> wrote:
> Do not mix SSL sections with non-SSL sections. What do you mean by this?
If session information for an SSL area is ever moved into a non-SSL area (and the session info is still valid for SSL areas), that's bad. For example, you login to a secure section of your ecommerce site but then browse to a non-secure section and your session ID travels along with you for tracking purposes. If the session ID ever hits a non-SSL area, you have to invalidate it for all SSL areas and require the user to log back in. One way to do that is to just keep them entirely separate, but its not necessarily required, as long as the session ID no longer is valid for SSL areas. Regards, Nathan Keltner ------------------------------------------------------------------------- Sponsored by: WatchfireWatchfire's AppScan is the industry's first and leading web application security testing suite, and the only solution to provide comprehensive remediation tasks at every level of the application. Change the way you think about application security testing - See for yourself. Download a Free Trial of AppScan 6.0 today!
https://www.watchfire.com/securearea/appscansix.aspx?id=701300000007kaF --------------------------------------------------------------------------
Current thread:
- How to create (hijacking) secure HTTP sessions? Michael Decker (Jun 02)
- Re: How to create (hijacking) secure HTTP sessions? Jason Muskat (Jun 02)
- Re: How to create (hijacking) secure HTTP sessions? Adam Tuliper (Jun 04)
- Re: How to create (hijacking) secure HTTP sessions? Michael Decker (Jun 07)
- Re: How to create (hijacking) secure HTTP sessions? Adam Tuliper (Jun 04)
- Re: How to create (hijacking) secure HTTP sessions? Ivan Ristic (Jun 03)
- Re: How to create (hijacking) secure HTTP sessions? Michael Decker (Jun 07)
- Re: How to create (hijacking) secure HTTP sessions? Nathan Keltner (Jun 08)
- Re: How to create (hijacking) secure HTTP sessions? Michael Decker (Jun 07)
- Re: How to create (hijacking) secure HTTP sessions? ascii (Jun 04)
- Re: How to create (hijacking) secure HTTP sessions? Robin Wood (Jun 04)
- Re: How to create (hijacking) secure HTTP sessions? ascii (Jun 04)
- Re: How to create (hijacking) secure HTTP sessions? Rogan Dawes (Jun 05)
- Re: How to create (hijacking) secure HTTP sessions? ascii (Jun 07)
- Re: How to create (hijacking) secure HTTP sessions? stefano (Jun 05)
- Re: How to create (hijacking) secure HTTP sessions? Robin Wood (Jun 04)
- Re: How to create (hijacking) secure HTTP sessions? Jason Muskat (Jun 02)
- <Possible follow-ups>
- RE: How to create (hijacking) secure HTTP sessions? Evans, Arian (Jun 08)
- RE: How to create (hijacking) secure HTTP sessions? Evans, Arian (Jun 08)