Penetration Testing mailing list archives

Re: [PEN-TEST] HTTP Secure Session State Management

From: "van der Kooij, Hugo" <Hugo.van.der.Kooij () CAIW NL>
Date: Sun, 24 Dec 2000 01:04:43 +0100

On Fri, 22 Dec 2000, Mark Curphey wrote:

Apart from RFC 2965 (cookies) what other methods are available to developers
to manage sessions securely; i.e. authenticate each session in a transaction
?

Is a decorated URL  a better option ?


IMHO the best way would to use SSL connections to reduce sniffing. If you
can support client certificates you can use them as well but don't rely on
them purely.

Once you have an encrypted tunnel use user authentication with hardware
tokens like Shiva Access Manager or Ace's Secure Server. (Combine username
+ user password with pin and hardware token reponse for authentication.)

Then you can use cookies to cache the use info for a limited time. (Don't
push it over an hour and make sure you keep them rather secure.)

Beside the client certificates this is how I did create a support server.

Hugo.

--
Hugo van der Kooij; Oranje Nassaustraat 16; 3155 VJ  Maasland
hvdkooij () caiw nl     http://home.kabelfoon.nl/~hvdkooij/
--------------------------------------------------------------
This message has not been checked and may contain harmfull content.

Current thread:

[PEN-TEST] HTTP Secure Session State Management Mark Curphey (Dec 23)
- Re: [PEN-TEST] HTTP Secure Session State Management van der Kooij, Hugo (Dec 23)
  - Re: [PEN-TEST] HTTP Secure Session State Management Mark Curphey (Dec 26)
    - Re: [PEN-TEST] HTTP Secure Session State Management van der Kooij, Hugo (Dec 26)
    - Re: [PEN-TEST] HTTP Secure Session State Management Mark Curphey (Dec 27)
    - Re: [PEN-TEST] HTTP Secure Session State Management Anonymous (Dec 27)
    - Re: [PEN-TEST] HTTP Secure Session State Management Olle Segerdahl (Dec 27)
    - Re: [PEN-TEST] HTTP Secure Session State Management Robert van der Meulen (Dec 27)
    - Re: [PEN-TEST] HTTP Secure Session State Management Bennett Todd (Dec 27)
  - Re: [PEN-TEST] HTTP Secure Session State Management Philip Stoev (Dec 26)
    - Re: [PEN-TEST] HTTP Secure Session State Management Thomas Reinke (Dec 26)
    - Re: [PEN-TEST] HTTP Secure Session State Management Philip Stoev (Dec 27)

(Thread continues...)