WebApp Sec mailing list archives

Re: improvements in session management?

From: Michael Ströder <michael () stroeder com>
Date: Thu, 01 Apr 2004 22:28:50 +0200

Michael Ströder wrote:

WebAppSecurity [Technicalinfo.net] wrote:

1.  Only allow any user to have a single active connection to the web
application. (simultaneous logins result in slosure of all sessions).


Great opportunity for DoS attacks. ;-)


After being asked off list:

Sorry, maybe I got the original poster wrong.

My first thought was if someone manages to grab the session ID he/she canlogout the valid user immediately by trying to access the web applicationwith this session ID.

But after rethinking maybe the original poster thought about a second loginwith a *valid* authentication. This would not be vulnerable to DoS attack.Well, still I'd assume it's bad advice to close all sessions. A betterapproach would be to refuse the second login.


Ciao, Michael.

Current thread:

Re: improvements in session management? dd (Mar 31)
- Re: improvements in session management? Michael Ströder (Apr 01)
  - Re: improvements in session management? dd (Apr 01)
- RE: improvements in session management? WebAppSecurity [Technicalinfo.net] (Apr 01)
  - Re: improvements in session management? Michael Ströder (Apr 01)
    - Re: improvements in session management? Michael Ströder (Apr 01)
    - Re: improvements in session management? dd (Apr 01)
    - RE: improvements in session management? WebAppSecurity [Technicalinfo.net] (Apr 01)
- <Possible follow-ups>
- Re: improvements in session management? Michael Ströder (Mar 31)
- Re: improvements in session management? Tim Akinbo (Apr 01)