[thelist] Session Fixation
Lauri
lauri_lists at tharapita.com
Fri Jun 12 09:15:37 CDT 2009
Hi Bill,
There is another variation of Session Fixation that works on cookies by
relying on brief access to your computer (or exploiting public
computers/internet cafes).
An attacker can will a site, note down the cookie ID from before the login
and wait for (or induce) a victim to log in with their credentials on that
computer. Then the attacker can use that session ID as the original user
does. The fact that a session ID was already on that browser remains
unnoticed by the victim.
Minting a new session ID whenever the authentication level changes is a good
session ID management practice regardless of whether you're using cookies or
parameters.
Cheers,
Lauri Väin
More information about the thelist
mailing list