Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
session id abuse
From: Johnny GoLightly (mywebquestionyahoo.com.au)
Date: Fri Feb 13 2004 - 06:20:09 CST
I have some quesitons regarding session id's.
Consider the following scenario:
User requires access to a web application for a long period of time with inactivity. Therefore assume that sessionID never expires.
Session information stored on web server (or application server) says that this user has read-only access to the information shown on the page which is extracted from a database.
The application auto refreshes the page on the browser every 15 minutes with updated info that other users may have entered in the preceding period.
Is it possible for:
1. Another user to change the session information on the server and change access from read only to write (by knowing the session id)?
2. Knowing the session id (perhaps from info on the URL) can one create another session from another browser using the same session ID?
3. How can you effectively limit concurrent access to only 1 session?
4. If client side certificates were to be used, could you create another session from another browser once the first session was authenticated? ie, how do you restrict the access to only one browser?
5. If you are using server side validation for all user invoked queries, is it still possible to force data into the application to elevate your role? Assume that user roles are clearly defined in the db.
6. If a user with high privileges (such as write to db) leaves a workstation unattended with no session timeout, are there any controls that one could put in place to still validate the user is the privilged user after a period of time? for example keep session active, but to make any changes application must validate information on a usb key?
7. How do you choose between session ID's tagged in URL, Session IDs in cookies? How do you restrict the information in either URL or cookie so that users can't use this info to abuse the applicaiton?