[thelist] Session Fixation

Bill Moseley moseley at hank.org
Thu Jun 11 18:55:14 CDT 2009


I'm working with an application that accepts session ids in a query
parameter.  That opens up the application to session fixation
attacks:

    http://en.wikipedia.org/wiki/Session_fixation

The reason session id is allowed in the query is that third party
users want to use an iframe to embed the site in their own site, and
Internet Explorer, by default, does not allow "third-party" cookies
from the iframe.


I would like to not allow session ids in the URL, yet still allow use
of an iframe if the thrid-party site wants, without requiring users to
change their IE settings.

I understand that a P3P header can be used to convince IE to allow the
cookie to be set from the iframe:

    http://viralpatel.net/blogs/2008/12/how-to-set-third-party-cookies-with-iframe.html

Anyone have experience with this approach?  Are there browsers that
will still not allow a cookie to be set from an iframe even using P3P?

Any other solutions?

One way to mitigate the session fixation attack is to use a new
session it after logging in.  But, best not to expose this weakness in
the first place.



-- 
Bill Moseley
moseley at hank.org
Sent from my iMutt




More information about the thelist mailing list