[thelist] Security when managing online sessions
Andrew Forsberg
andrew at thepander.co.nz
Tue Dec 4 17:28:36 CST 2001
>The only way this could go wrong I suppose is if
>someone 1) hacks into our db server (SQL Server 7.0), or 2) obtains the
>session cookie from the user's machine while their session is active.
>
>What do you think? I'm using ASP if you're curious. TIA.
In the last netcraft newsletter there was mention of a JSP session id
vulnerability. It seems that the session ID for quite a few JSP
servers was not quite unique enough, and so easily spoofed. I don't
know to what degree, or whether, this applies to ASP or not, but you
may want to double check how random the session ID really is.
Oh, and setting usernames in a cookie would be bad. :)
Here's the netcraft advisory:
http://www.netcraft.com/security/public-advisories/2001-01.1.html
Cheers
Andrew
--
Andrew Forsberg
---
uberNET - http://uber.net.nz/
the pander - http://thepander.co.nz/
More information about the thelist
mailing list