What happened with the session fixation bug?

Ben Laurie ben at algroup.co.uk
Fri May 20 15:21:35 PDT 2005

James A. Donald wrote:
>     --
> PKI was designed to defeat man in the middle attacks
> based on network sniffing, or DNS hijacking, which
> turned out to be less of a threat than expected.
> However, the session fixation bugs
> http://www.acros.si/papers/session_fixation.pdf make
> https and PKI  worthless against such man in the middle
> attacks.  Have these bugs been addressed?

Do they exist? Certainly any session ID I've ever had a hand in has two 
properties that strongly resist session fixation:

a) If a session ID arrives, it should already exist in the database.

b) Session IDs include HMACs.

Session fixation is defeated by either of these. Modulo insider attacks, 
of course. :-)

http://www.apache-ssl.org/ben.html       http://www.thebunker.net/

"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cypherpunks-legacy mailing list