WebApp Sec mailing list archives
Re: Hijacking URL Encoded Session IDs using Referer Logs
From: zeno <bugtraq () cgisecurity net>
Date: Mon, 25 Nov 2002 08:48:57 -0500 (EST)
Not to my knowledge. I guess the question would be why would you store the session id in a users url? I suppose people who are to lazy to learn about cookies and don't mind having the ID logged on the server side. Not to mention its *possible* that this id can be saved by a webspider and archived. If using cookies to store these id's you won't have to worry about this problem. (unless there is a new super spider which logs cookies that I am unaware of in production use?) - zeno
Is there anything on CERT about the fact that URL encoded session IDs get passed to referenced sites in the HTTP referer header? Thanks, Bob
Current thread:
- Hijacking URL Encoded Session IDs using Referer Logs Bob Lee (Nov 24)
- Re: Hijacking URL Encoded Session IDs using Referer Logs zeno (Nov 25)
- Re: Hijacking URL Encoded Session IDs using Referer Logs Bob Lee (Nov 25)
- Re: Hijacking URL Encoded Session IDs using Referer Logs Jeff Dafoe (Nov 25)
- Re: Hijacking URL Encoded Session IDs using Referer Logs Bob Lee (Nov 25)
- Re: Hijacking URL Encoded Session IDs using Referer Logs Jeff Dafoe (Nov 25)
- Re: Hijacking URL Encoded Session IDs using Referer Logs Bob Lee (Nov 25)
- Re: Hijacking URL Encoded Session IDs using Referer Logs Bob Lee (Nov 25)
- Re: Hijacking URL Encoded Session IDs using Referer Logs zeno (Nov 25)
- Re: Hijacking URL Encoded Session IDs using Referer Logs zeno (Nov 25)
- <Possible follow-ups>
- Re: Hijacking URL Encoded Session IDs using Referer Logs ONEILL David J (Nov 25)
- Re: Hijacking URL Encoded Session IDs using Referer Logs Craig_Sullivan (Nov 25)
- Re: Hijacking URL Encoded Session IDs using Referer Logs UDP 53 (Dec 05)