From: Adam Tuliper (amtgecko-software.com)
Date: Sat Jun 03 2006 - 13:26:44 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Beginning with ie5, ssl session id is renegotiated every two minutes during
the same session.
Http session ids based on this method would no longer remain valid then.
In addition, I dont believe this field is readily available to most web
developers, at least on the ms platform.

----- Original Message -----
From: "Jason Muskat" <JasonTechDude.Ca>
To: "Michael Decker" <MDeckertesis.de>; <webappsecsecurityfocus.com>
Sent: Friday, June 02, 2006 10:18 PM
Subject: Re: How to create (hijacking) secure HTTP sessions?

> Hello,
>
> You have the major parts, especially "HTTP session ID joined with IP and
> SSL
> session ID'. Most web-apps don't do this, but they should.
>
> To that one should add
>
> A) allow only one active login
>
> Regards,
>
> --
> Jason Muskat | GCUX - de VE3TSJ
> ____________________________
> TechDude
> e. JasonTechDude.Ca
> m. 416 .414 .9934
>
> http://TechDude.Ca/
>
>
>> From: Michael Decker <MDeckertesis.de>
>> Organization: Tesis SYSware GmbH
>> Date: Thu, 01 Jun 2006 09:13:50 +0200
>> To: <webappsecsecurityfocus.com>
>> Subject: How to create (hijacking) secure HTTP sessions?
>>
>> Hi!
>>
>> I tried to figure out, how to create HTTP session, that are not so easy
>> to hijack.
>>
>> So I think about that mechanisms:
>>
>> * Using HTTPs
>> * Randomize HTTP session IDs
>> * Only create HTTP session ID after login
>> * HTTP session ID joined with IP and SSL session ID
>> * Block all session ID usings, that do'nt match IP and SSL session ID
>> * Set HTTP session timeout
>> * Expire HTTP session after logout
>>
>> Is that all? Is there any mechanism, that isn't a good idea?
>>
>> Bye,
>> Michael
>>
>> --
>> Michael Decker Michael.Deckertesis.de
>> TESIS SYSware GmbH http://www.tesis.de
>> Baierbrunnerstr. 15 * 81379 Muenchen * Tel. +49 89 747377-0
>>
>>
>> -------------------------------------------------------------------------
>> Sponsored by: Watchfire
>>
>> Watchfire named worldwide market share leader in web application
>> security assessment by leading market research firm. Watchfire's AppScan
>> is the industry's first and leading web application security testing
>> suite, and the only solution to provide comprehensive and consolidated
>> remediation task lists at every level of the application. See for
>> yourself.
>> Download a Free Trial of AppScan 6.0 today!
>>
>> https://www.watchfire.com/securearea/appscansix.aspx?id=701300000007t9c
>> --------------------------------------------------------------------------
>>
>
>
>
> -------------------------------------------------------------------------
> Sponsored by: Watchfire
>
> Watchfire named worldwide market share leader in web application
> security assessment by leading market research firm. Watchfire's AppScan
> is the industry's first and leading web application security testing
> suite, and the only solution to provide comprehensive and consolidated
> remediation task lists at every level of the application. See for
> yourself.
> Download a Free Trial of AppScan 6.0 today!
>
> https://www.watchfire.com/securearea/appscansix.aspx?id=701300000007t9c
> --------------------------------------------------------------------------
>
>

-------------------------------------------------------------------------
Sponsored by: Watchfire

Watchfire named worldwide market share leader in web application
security assessment by leading market research firm. Watchfire's AppScan
is the industry's first and leading web application security testing
suite, and the only solution to provide comprehensive and consolidated
remediation task lists at every level of the application. See for
yourself.
Download a Free Trial of AppScan 6.0 today!

https://www.watchfire.com/securearea/appscansix.aspx?id=701300000007t9c
--------------------------------------------------------------------------

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]