|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
RE: Session Fixation
From: Cyrill Osterwalder (cyrill.osterwalder
seclutions.com)
Date: Wed Apr 02 2003 - 01:15:12 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
>I am currently logging the super cookie to try and determine if it
>really is unique enough.
I always prefer and also recommend to have a session identifier of which
the uniqueness is controlled and therefore guaranteed by the server, not
any client software. The server software should not rely on the client side
regarding this issue.
When using SSL connections, I'm often using the SSL session ID which is
exactly such an example where the server guarantees uniqueness. However,
the SSL session ID also has some problems like that old browser versions do
not keep it long enough or that you lose sessions if your server side SSL
session pool is not big enough. If one of these issues are relevant, I
build long enough and very good random identifiers where I guarantee
uniqueness in the session management code.
Cyrill
---------------------------------------------------
Cyrill Osterwalder
Chief Technology Officer
http://www.seclutions.com
PGPKey FP :5C84E132BBD50AB1627BF873D3B6CAF4C70E7ACB
PGPKey URL:ldap://certserver.pgp.com
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]