Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

webappsec logo WebApp Sec mailing list archives

RE: Session Fixation
From: Cyrill Osterwalder <cyrill.osterwalder () seclutions com>
Date: Wed, 02 Apr 2003 09:15:12 +0200


I am currently logging the super cookie to try and determine if it
really is unique enough.
I always prefer and also recommend to have a session identifier of which the uniqueness is controlled and therefore guaranteed by the server, not any client software. The server software should not rely on the client side regarding this issue.
When using SSL connections, I'm often using the SSL session ID which is exactly such an example where the server guarantees uniqueness. However, the SSL session ID also has some problems like that old browser versions do not keep it long enough or that you lose sessions if your server side SSL session pool is not big enough. If one of these issues are relevant, I build long enough and very good random identifiers where I guarantee uniqueness in the session management code. 

Cyrill

---------------------------------------------------
Cyrill Osterwalder
Chief Technology Officer
http://www.seclutions.com

PGPKey FP :5C84E132BBD50AB1627BF873D3B6CAF4C70E7ACB
PGPKey URL:ldap://certserver.pgp.com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]