What happened with the session fixation bug?

Ben Laurie ben at algroup.co.uk
Sat Jun 4 02:33:36 PDT 2005

James A. Donald wrote:
>     --
> James A. Donald:
>>>PKI was designed to defeat man in the middle attacks 
>>>based on network sniffing, or DNS hijacking, which 
>>>turned out to be less of a threat than expected.
>>>However, the session fixation bugs 
>>>http://www.acros.si/papers/session_fixation.pdf make 
>>>https and PKI  worthless against such man in the 
>>>middle attacks.  Have these bugs been addressed?
> On 20 May 2005 at 23:21, Ben Laurie wrote:
>>Do they exist? Certainly any session ID I've ever had 
>>a hand in has two properties that strongly resist 
>>session fixation:
>>a) If a session ID arrives, it should already exist in 
>>the database.
>>b) Session IDs include HMACs.
> The way to beat session fixation is to issue a 
> privileged and impossible to predict session ID in 
> response to a correct login.
> If, however, you grant privileges to a session ID on the 
> basis of a successful login, which is in fact the usual 
> practice, you are hosed. The normal programming model 
> creates a session ID, then sets variables and flags 
> associated with that session ID in response to forms 
> submitted by the user.  To prevent session fixation, you 
> must create the session ID with unchangeable privileges 
> from the moment of creation.

Why? I suspect you are thinking of an attack other than session 
fixation. How does your attack work?



http://www.apache-ssl.org/ben.html       http://www.thebunker.net/

"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cypherpunks-legacy mailing list