WebApp Sec mailing list archives
Re: How to create (hijacking) secure HTTP sessions?
From: Rogan Dawes <discard () dawes za net>
Date: Mon, 05 Jun 2006 11:20:35 +0200
ascii wrote:
Robin Wood wrote:What happens if your users are using proxies which change over the period of the session, such as AOL. This approach would stop them from using your system.i think the answer is in the message you replied : )On 6/3/06, ascii <ascii () katamail com> wrote:this should play better on https then on http because commonly ssl connections are direct (while some isp split the http traffic over different proxy servers and several public ips)does AOL proxy https traffic? normally your browser open an ssl connection directly with the server the other option is to use a proxy with the CONNECT request method enabled to tunnel the ssl channel (but the proxy cannot cache the traffic, so no cache acceleration) if this happen and the proxy change then a solution is to exclude the ip class from the ip check naturally you have to see the context, if your webbapp doesn't apply for a particular check don't do that particular check Regards, Francesco 'ascii' Ongaro - http://www.ush.it/
Here's a slightly different question, but along the same lines.What happens if your users are all behind a particular proxy/firewall? e.g. a hosted application provider servicing a large corporate?
Recording the IP would add no value, since they might all be coming from the same external address. One might wish to consider the "X-Forwarded-For" (or whatever) header in that case, to get the actual internal IP address, but of course, it cannot be trusted, since it is a header and can be forged like any other.
Rogan ------------------------------------------------------------------------- Sponsored by: Watchfire Watchfire named worldwide market share leader in web application security assessment by leading market research firm. Watchfire's AppScan is the industry's first and leading web application security testing suite, and the only solution to provide comprehensive and consolidated remediation task lists at every level of the application. See for yourself. Download a Free Trial of AppScan 6.0 today! https://www.watchfire.com/securearea/appscansix.aspx?id=701300000007t9c --------------------------------------------------------------------------
Current thread:
- How to create (hijacking) secure HTTP sessions? Michael Decker (Jun 02)
- Re: How to create (hijacking) secure HTTP sessions? Jason Muskat (Jun 02)
- Re: How to create (hijacking) secure HTTP sessions? Adam Tuliper (Jun 04)
- Re: How to create (hijacking) secure HTTP sessions? Michael Decker (Jun 07)
- Re: How to create (hijacking) secure HTTP sessions? Adam Tuliper (Jun 04)
- Re: How to create (hijacking) secure HTTP sessions? Ivan Ristic (Jun 03)
- Re: How to create (hijacking) secure HTTP sessions? Michael Decker (Jun 07)
- Re: How to create (hijacking) secure HTTP sessions? Nathan Keltner (Jun 08)
- Re: How to create (hijacking) secure HTTP sessions? Michael Decker (Jun 07)
- Re: How to create (hijacking) secure HTTP sessions? ascii (Jun 04)
- Re: How to create (hijacking) secure HTTP sessions? Robin Wood (Jun 04)
- Re: How to create (hijacking) secure HTTP sessions? ascii (Jun 04)
- Re: How to create (hijacking) secure HTTP sessions? Rogan Dawes (Jun 05)
- Re: How to create (hijacking) secure HTTP sessions? ascii (Jun 07)
- Re: How to create (hijacking) secure HTTP sessions? stefano (Jun 05)
- Re: How to create (hijacking) secure HTTP sessions? Robin Wood (Jun 04)
- Re: How to create (hijacking) secure HTTP sessions? Jason Muskat (Jun 02)
- <Possible follow-ups>
- RE: How to create (hijacking) secure HTTP sessions? Evans, Arian (Jun 08)
- RE: How to create (hijacking) secure HTTP sessions? Evans, Arian (Jun 08)