WebApp Sec mailing list archives
Re: improvements in session management?
From: dd <dd () ghettohackers net>
Date: Thu, 01 Apr 2004 13:40:31 -0800
My first thought was if someone manages to grab the session ID he/she can logout the valid user immediately by trying to access the web application with this session ID.But after rethinking maybe the original poster thought about a second login with a *valid* authentication. This would not be vulnerable to DoS attack. Well, still I'd assume it's bad advice to close all sessions. A better approach would be to refuse the second login.
Refusing the second login would cause the dos attack. If I hijack your session and have a bot "sit on it" you will never beable to log in again.
By closing any secondary sessions on a valid login you provide a way for a user to stop an inprogress hijacking. The only problems with this occur if you expect multiple logins at once, or the users creds are stolen (which is a problem larger then session hijacking and dos issues).
dd
Current thread:
- Re: improvements in session management? dd (Mar 31)
- Re: improvements in session management? Michael Ströder (Apr 01)
- Re: improvements in session management? dd (Apr 01)
- RE: improvements in session management? WebAppSecurity [Technicalinfo.net] (Apr 01)
- Re: improvements in session management? Michael Ströder (Apr 01)
- Re: improvements in session management? Michael Ströder (Apr 01)
- Re: improvements in session management? dd (Apr 01)
- RE: improvements in session management? WebAppSecurity [Technicalinfo.net] (Apr 01)
- Re: improvements in session management? Michael Ströder (Apr 01)
- Re: improvements in session management? Michael Ströder (Apr 01)
- <Possible follow-ups>
- Re: improvements in session management? Michael Ströder (Mar 31)
- Re: improvements in session management? Tim Akinbo (Apr 01)