OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Innes Fisher (Innes.Fisherccdhb.org.nz)
Date: Tue Mar 05 2002 - 13:49:18 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Mike,

    My concern in using GUIDs as a session token is that they are predictable and therefore give an attacker a much greater opportunity to establish a conversation with the web server by predicting an in "use token" and piggy-backing on an already authenticated user session. I haven't gone to the extent of proving it yet, but it seems intuitive that this is would be relatively easy.

    Innes

    >>> "Michael Howard" <mikehowmicrosoft.com> 03/06/02 06:43AM >>>
    Rather than just diving into an answer - what's the threat(s) you want
    to mitigate?

    -----Original Message-----
    From: Innes Fisher [mailto:innes.fisherccdhb.org.nz]
    Sent: Monday, March 04, 2002 1:38 PM
    To: webappsecsecurityfocus.com
    Subject: Secure Token Generation

    This is a follow on from a recent email from me about

    the use of GUID/UUIDs as secure session tokens.

    Firstly, thanks for the previous responses.

    Having advised our apps developers that GUIDs were

    not a good secure session token, the first question I

    got in response was, "What is?".

    Is there a recommended method for generating

    security tokens?

    The tokens could be used in app/server exchanges

    or in human-app interaction.

    Thanks, Innes

    CC DHB Secure Mail Server
    ********************************************************************************

    [INFO] -- Virus Manager:
    No Viruses were detected in this message.

    ********************************************************************************

    CC DHB Secure Mail Server
    ********************************************************************************
    This email or attachment(s) may contain confidential or legally privileged information intended for the sole use of the addressee(s). Any use, redistribution, disclosure, or reproduction of this message, except as intended, is prohibited. If you received this email in error, please notify the sender and remove all copies of the message, including any attachments. Any views or opinions expressed in this email (unless otherwise stated) may not represent those of Capital and Coast District Health Board. (AC_S001)

    [INFO] -- Virus Manager:
    No Viruses were detected in this message.

    ********************************************************************************