Re: Custom session tokens and XSS

[Ingo Struck <ingo () ingostruck de>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi...

> The reason to log a session out when a bad token is received is so that if
> someone steals the token (somehow), then the real user's next use of their
> token will cause the attacker to get logged out.
Yep, of course that logging-off-the-other-one works vice versa.
:o)
The problem here is, that users tend to log themselves off very often if they
hit the browsers "reload" button. In this case an old (thus invalid) token is
submitted. I had lots of users of a real application complaining about that.

> It opens a denial of service capability but closes another hole.
This is the case too for other problems too, you have to balance reasons
for the security measures you take.

But maybe you're right:
The nuisance of being logged off unintentionally may outweigh the risk of
having some transaction tokens stolen.

Kind regards

Ingo

- -- 
ingo () ingostruck de
Use PGP: http://ingostruck.de/ingostruck.gpg with fingerprint
C700 9951 E759 1594 0807  5BBF 8508 AF92 19AA 3D24
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.0 (GNU/Linux)

iD8DBQE/O6wvhQivkhmqPSQRApf+AKCK21BH1VBO6b8ltRnmxQg+7+sUHwCglRNQ
Ia/bnmLBG6zSPMgU7wCKXxo=
=gVXq
-----END PGP SIGNATURE-----