WebApp Sec mailing list archives

RE: Session security with cookies

From: "Martin O'Neal" <martin.oneal () corsaire com>
Date: Wed, 5 Dec 2007 10:11:21 -0000

Encrypting or signing the data in the cookies is better 
than not doing it...


In an ideal world:

- No data in cookies at all; all state should be held server side
- Session identifier not dependent on data at all; it should be truly
random and unique

Martin...



-------------------------------------------------------------------------
Sponsored by: Watchfire
Methodologies & Tools for Web Application Security Assessment
With the rapid rise in the number and types of security threats, web application security assessments should be 
considered a crucial phase in the development of any web application. What methodology should be followed? What tools 
can accelerate the assessment process? Download this Whitepaper today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
-------------------------------------------------------------------------

Current thread:

Re: Session security with cookies, (continued)
- - - Re: Session security with cookies Aaron Katz (Dec 05)
    - Re: Session security with cookies Till Elsner (Dec 05)
    - Re: Session security with cookies Aaron Katz (Dec 05)
    - Re: Session security with cookies Aaron Shelmire (Dec 08)
    - Re: Session security with cookies Eduardo Tongson (Dec 08)
    - Cryptographically Generated Cookies Paul Johnston (Dec 12)
    - Re: Cryptographically Generated Cookies Andy Steingruebl (Dec 14)
    - Re: Cryptographically Generated Cookies Jamie Riden (Dec 14)
    - RE: Session security with cookies Martin O'Neal (Dec 12)
    - Message not available
    - Re: Session security with cookies Scott C. Sanchez (Dec 04)
    - RE: Session security with cookies Martin O'Neal (Dec 05)
- Re: Session security with cookies Eduardo Tongson (Dec 05)