|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Gabriel Lawrence (gabe_at_butterflysecurity.com)
Date: Thu Jul 25 2002 - 15:50:35 CDT
Not to bash IE, but it has a bug that expires the SSL session ID very
frequently, often before you even get back to the server after the first
request.
We had tried to use SSL session ids to manage sticky sessions through a
load balancer once and it just turned out not to be possible. This was
with IE 5.x I think, and MSFT had classified this as not a bug...
-gabe
On Thu, 2002-07-25 at 11:52, Ben Mord wrote:
>
> Has anyone tried to get these two layers to talk to each other? We have two
> concepts of a session here. At a lower level we have the SSL session, and at
> a higher level we have the cookie-based concept of a session. Only one of
> these two sessions was rigorously designed using cryptographic principles to
> prevent hijacking. Unfortunately, this is not the one used by custom
> application logic to enforce user-specific access control! Programmers use
> the weaker, cookie-based concept.
>
-- Gabriel Lawrence CTO Butterfly Security <www.butterflysecurity.com> (408) 333-9948 gabebutterflysecurity.com
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]