[thelist] Session Fixation

Bill Moseley moseley at hank.org
Fri Jun 12 09:44:06 CDT 2009

On Fri, Jun 12, 2009 at 05:15:37PM +0300, Lauri wrote:
> There is another variation of Session Fixation that works on cookies by
> relying on brief access to your computer (or exploiting public
> computers/internet cafes). 

Yes. All bets are off when there's physical access to the machine.

> Minting a new session ID whenever the authentication level changes is a good
> session ID management practice regardless of whether you're using cookies or
> parameters.

Indeed.  That goes a long way to solve this.

I've never had an application embed a site into an iframe of
another site so never had to deal with IE blocking the iframe cookies.

My hope is to disable the session id in the URL to prevent the
fixation (when there's no physical access).  Another developer said
they tried using a P3P header but there were cases were it failed to
work.  I was just wondering if anyone here has experience with using
P3P header for this purpose and knows if there are cases where P3P
doesn't solve the cookie in the iframe issue.


Bill Moseley.
moseley at hank.org
Sent from my iMutt

More information about the thelist mailing list