WebApp Sec mailing list archives
Re: Hijacking URL Encoded Session IDs using Referer Logs
From: Craig_Sullivan () Waitrose co uk
Date: Mon, 25 Nov 2002 15:45:46 +0000
Hmmm, I've long advocated not allowing session IDs in URLs *unless* they are supplemented with additional authentication or cookies. Quite simply, if you encode the security equivalence of the browser in a URL you are open to: (a) Replay attacks from the history file (b) Sniffing attacks (c) Logfile analysis attacks (d) Replay of bookmarks/links The clients I have worked with always rely upon additional information (in the form of cookies) when verifying the session ID. In addition, many of them implement systems that employ two separate session tracking systems - one for the general state management issue and the second for the business of checking 'that this was the same browser instance that authenticated itself earlier in the session and not somebody else'. All use of the second state management system is encrypted....... I've developed a system called the '3 cookie' tracking system but it won't work without cookies being enabled. Quite frankly, if cookies aren't enabled, I can't provide a secure mechanism for my clients to handle verification of identity along with a state management system. It is worth mentioning that in several months use of such a system, there were a minimal number of 'no we don't do cookies' systems that arrived on the site. I value security more highly than the often touted position of ensuring that disabled cookie systems can have a fallback. My fallback is to ensure it doesn't work but at least highlights this to the visitor. Craig. ********************************************************************* Notice: This email is confidential and may contain copyright material of the John Lewis Partnership. If you are not the intended recipient, please notify us immediately and delete all copies of this message. (Please note that it is your responsibility to scan this message for viruses). ********************************************************************* John Lewis plc Registered in England 233462 Registered office 171 Victoria Street London SW1E 5NN Websites: http://www.johnlewis.com and http://www.waitrose.com
Current thread:
- Hijacking URL Encoded Session IDs using Referer Logs Bob Lee (Nov 24)
- Re: Hijacking URL Encoded Session IDs using Referer Logs zeno (Nov 25)
- Re: Hijacking URL Encoded Session IDs using Referer Logs Bob Lee (Nov 25)
- Re: Hijacking URL Encoded Session IDs using Referer Logs Jeff Dafoe (Nov 25)
- Re: Hijacking URL Encoded Session IDs using Referer Logs Bob Lee (Nov 25)
- Re: Hijacking URL Encoded Session IDs using Referer Logs Jeff Dafoe (Nov 25)
- Re: Hijacking URL Encoded Session IDs using Referer Logs Bob Lee (Nov 25)
- Re: Hijacking URL Encoded Session IDs using Referer Logs Bob Lee (Nov 25)
- Re: Hijacking URL Encoded Session IDs using Referer Logs zeno (Nov 25)
- Re: Hijacking URL Encoded Session IDs using Referer Logs zeno (Nov 25)
- <Possible follow-ups>
- Re: Hijacking URL Encoded Session IDs using Referer Logs ONEILL David J (Nov 25)
- Re: Hijacking URL Encoded Session IDs using Referer Logs Craig_Sullivan (Nov 25)
- Re: Hijacking URL Encoded Session IDs using Referer Logs UDP 53 (Dec 05)