WebApp Sec mailing list archives
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in To day's Web Applications"
From: Florian Weimer <fw () deneb enyo de>
Date: Sat, 08 Jan 2005 00:47:21 +0100
* Jim Weiler:
Couldn't the secret be any unpredictable value that the server can come up with, like a GUID or the timestamp of the user login, and not something that uses encryption?
Yes, and a HMAC provides that. You have to make the value depending on the web application user (and preferably the time), otherwise users could attack each other. Of course, you can also use a decent PRNG to generate a token, and store it in the user's session object on the server side. But this might be more complicated to implement. A HMAC is not really encryption---but thanks to chaffing and winnowing, all authentication schemes also permit encryption, albeit with a significant overhead.
Current thread:
- RE: Whitepaper "SESSION RIDING - A Widespread Vulnerability in To day's Web Applications" Weiler, Jim (Jan 07)
- Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in To day's Web Applications" Florian Weimer (Jan 08)
- Google Hacking and SiteDigger 2.0 Kartik Trivedi (Jan 10)
- Re: Google Hacking and SiteDigger 2.0 GuidoZ (Jan 14)
- Google Hacking and SiteDigger 2.0 Kartik Trivedi (Jan 10)
- Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in To day's Web Applications" Florian Weimer (Jan 08)