Re: How can i protect against session hijacking?

[David Scholefield <david () port80 com>]

On 3 Apr 2009, at 01:46, Brad Causey wrote:

> 1. Will a WAF prevent session hijacking?
> In a word, no. I'm with the school of thought that a WAF is a  
> TEMPORARY mitigation of risk while the CODE issues are being  
> resolved. So in practice, you should not deploy a WAF with the long  
> term intent of preventing a certain attack.
<snip>
> The fact that PCI says you can have either a WAF or a security  
> review is insane to me.


I totally agree with this - a WAF is a very blunt tool and shouldn't  
replace decent
coding and code review standards. But then code review can be very  
expensive
and time consuming (especially if you don't use a 'standard' set of  
Microsoft
tools such as .NET, or some flavours of Java; and have to do it by  
hand!)

----
Dr David Scholefield, CISSP, OPST, MBCS
07525 624 997
www.port80.com

Security in a connected world