What happened with the session fixation bug?
Ben Laurie
ben at algroup.co.uk
Sat Jun 4 02:33:36 PDT 2005
James A. Donald wrote:
> --
> James A. Donald:
>
>>>PKI was designed to defeat man in the middle attacks
>>>based on network sniffing, or DNS hijacking, which
>>>turned out to be less of a threat than expected.
>>>
>>>However, the session fixation bugs
>>>http://www.acros.si/papers/session_fixation.pdf make
>>>https and PKI worthless against such man in the
>>>middle attacks. Have these bugs been addressed?
>
>
> On 20 May 2005 at 23:21, Ben Laurie wrote:
>
>>Do they exist? Certainly any session ID I've ever had
>>a hand in has two properties that strongly resist
>>session fixation:
>>
>>a) If a session ID arrives, it should already exist in
>>the database.
>>
>>b) Session IDs include HMACs.
>
>
> The way to beat session fixation is to issue a
> privileged and impossible to predict session ID in
> response to a correct login.
>
> If, however, you grant privileges to a session ID on the
> basis of a successful login, which is in fact the usual
> practice, you are hosed. The normal programming model
> creates a session ID, then sets variables and flags
> associated with that session ID in response to forms
> submitted by the user. To prevent session fixation, you
> must create the session ID with unchangeable privileges
> from the moment of creation.
Why? I suspect you are thinking of an attack other than session
fixation. How does your attack work?
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html http://www.thebunker.net/
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cypherpunks-legacy
mailing list