|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Serguey Forcade (sergueyf
gmail.com)
Date: Tue Apr 03 2007 - 11:32:58 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Thanks, but I based my assumptions on an article from Microsoft
(http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/iisbook/c06_asp_session_id_and_session_security.mspx?mfr=true)
Even tho your statement makes sense. It's just that I haven't been
able to find more info about the relationship between the session ID
and the cookie.
On 4/3/07, Rogan Dawes <discarddawes.za.net> wrote:
> Serguey Forcade wrote:
> > Hi, I'd like to know if anyone knows of a paper that explains how to
> > extract the encryption password IIS creates when it starts up, and
> > uses to encrypt the session ID + random data in order to generate the
> > cookie value the users receives.
> >
> > I'm interested in IIS 5.0.
> >
> > Thanks.
> >
>
> Take this with a pinch of salt, but I don't think that the session
> identifier and the cookie value are directly related.
>
> One reason for this statement is that if you abandon the session (using
> ASP), and create a new one, the cookie value does not change. However,
> the result of "Session.SessionID" DOES change.
>
> I suspect that the cookie value is generated using a combination of some
> static/sequential info, and some random data, and then associated with
> the next available (i.e sequential integer) SessionID. When the session
> is abandoned, the session object associated with that integer SessionID
> is discarded. A subsequent request from the client containing the old
> Session Cookie value will then automatically be associated with the next
> available sequential integer SessionID.
>
> Hope this helps.
>
> Rogan
>
> P.S. One consequence of this inability to change the cookie value
> through abandoning the session is that ASP apps are AUTOMATICALLY
> vulnerable to Session Fixation
> <http://www.owasp.org/index.php/Session_Fixation>. An approach to
> protecting ASP apps against session fixation is shown here
> <http://www.owasp.org/index.php/Session_Fixation_Protection>
>
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]