WebApp Sec mailing list archives
session id abuse
From: Johnny GoLightly <mywebquestion () yahoo com au>
Date: 13 Feb 2004 12:20:09 -0000
Hi all, I have some quesitons regarding session id's. Consider the following scenario: User requires access to a web application for a long period of time with inactivity. Therefore assume that sessionID never expires. Session information stored on web server (or application server) says that this user has read-only access to the information shown on the page which is extracted from a database. The application auto refreshes the page on the browser every 15 minutes with updated info that other users may have entered in the preceding period. Is it possible for: 1. Another user to change the session information on the server and change access from read only to write (by knowing the session id)? 2. Knowing the session id (perhaps from info on the URL) can one create another session from another browser using the same session ID? 3. How can you effectively limit concurrent access to only 1 session? 4. If client side certificates were to be used, could you create another session from another browser once the first session was authenticated? ie, how do you restrict the access to only one browser? 5. If you are using server side validation for all user invoked queries, is it still possible to force data into the application to elevate your role? Assume that user roles are clearly defined in the db. 6. If a user with high privileges (such as write to db) leaves a workstation unattended with no session timeout, are there any controls that one could put in place to still validate the user is the privilged user after a period of time? for example keep session active, but to make any changes application must validate information on a usb key? 7. How do you choose between session ID's tagged in URL, Session IDs in cookies? How do you restrict the information in either URL or cookie so that users can't use this info to abuse the applicaiton? Thanks Johnny
Current thread:
- Session ID Abuse Johnny GoLightly (Feb 13)
- Re: Session ID Abuse Paul (Feb 15)
- Re: Session ID Abuse lists AT dawes DOT za DOT net (Feb 15)
- <Possible follow-ups>
- session id abuse Johnny GoLightly (Feb 13)
- Re: session id abuse npguy (Feb 15)
- Re: session id abuse hans (Feb 15)
- RE: Session ID Abuse Kris Wilkinson (Feb 15)
- Re: Session ID Abuse Steve Shah (Feb 15)