|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: How to create (hijacking) secure HTTP sessions?
From: Nathan Keltner (shiftnato
gmail.com)
Date: Wed Jun 07 2006 - 10:43:00 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On 6/7/06, Michael Decker <MDeckertesis.de> wrote:
> > Do not mix SSL sections with non-SSL sections.
>
> What do you mean by this?
If session information for an SSL area is ever moved into a non-SSL
area (and the session info is still valid for SSL areas), that's bad.
For example, you login to a secure section of your ecommerce site but
then browse to a non-secure section and your session ID travels along
with you for tracking purposes. If the session ID ever hits a non-SSL
area, you have to invalidate it for all SSL areas and require the user
to log back in. One way to do that is to just keep them entirely
separate, but its not necessarily required, as long as the session ID
no longer is valid for SSL areas.
Regards,
Nathan Keltner
-------------------------------------------------------------------------
Sponsored by: Watchfire
Watchfire's AppScan is the industry's first and leading web application
security testing suite, and the only solution to provide comprehensive
remediation tasks at every level of the application. Change the way you
think about application security testing - See for yourself.
Download a Free Trial of AppScan 6.0 today!
https://www.watchfire.com/securearea/appscansix.aspx?id=701300000007kaF
--------------------------------------------------------------------------
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]