WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: How to create (hijacking) secure HTTP sessions?

From: "Nathan Keltner" <shiftnato () gmail com>
Date: Wed, 7 Jun 2006 10:43:00 -0500
On 6/7/06, Michael Decker <MDecker () tesis de> wrote:

> Do not mix SSL sections with non-SSL sections.

What do you mean by this?


If session information for an SSL area is ever moved into a non-SSL
area (and the session info is still valid for SSL areas), that's bad.

For example, you login to a secure section of your ecommerce site but
then browse to a non-secure section and your session ID travels along
with you for tracking purposes.  If the session ID ever hits a non-SSL
area, you have to invalidate it for all SSL areas and require the user
to log back in.  One way to do that is to just keep them entirely
separate, but its not necessarily required, as long as the session ID
no longer is valid for SSL areas.

Regards,
Nathan Keltner

-------------------------------------------------------------------------
Sponsored by: Watchfire
Watchfire's AppScan is the industry's first and leading web application security testing suite, and the only solution to provide comprehensive remediation tasks at every level of the application. Change the way you think about application security testing - See for yourself. Download a Free Trial of AppScan 6.0 today! 

https://www.watchfire.com/securearea/appscansix.aspx?id=701300000007kaF
--------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: