[thelist] Session Fixation

[Lauri]

Hi Bill, 

There is another variation of Session Fixation that works on cookies by
relying on brief access to your computer (or exploiting public
computers/internet cafes). 

An attacker can will a site, note down the cookie ID from before the login
and wait for (or induce) a victim to log in with their credentials on that
computer. Then the attacker can use that session ID as the original user
does. The fact that a session ID was already on that browser remains
unnoticed by the victim. 

Minting a new session ID whenever the authentication level changes is a good
session ID management practice regardless of whether you're using cookies or
parameters. 

Cheers, 
Lauri Väin