What happened with the session fixation bug?

James A. Donald jamesd at echeque.com
Mon May 23 09:37:26 PDT 2005

James A. Donald:
> > PKI was designed to defeat man in the middle attacks 
> > based on network sniffing, or DNS hijacking, which 
> > turned out to be less of a threat than expected.
> >
> > However, the session fixation bugs 
> > http://www.acros.si/papers/session_fixation.pdf make 
> > https and PKI  worthless against such man in the 
> > middle attacks.  Have these bugs been addressed?

On 20 May 2005 at 23:21, Ben Laurie wrote:
> Do they exist? Certainly any session ID I've ever had 
> a hand in has two properties that strongly resist 
> session fixation:
> a) If a session ID arrives, it should already exist in 
> the database.
> b) Session IDs include HMACs.

The way to beat session fixation is to issue a 
privileged and impossible to predict session ID in 
response to a correct login.

If, however, you grant privileges to a session ID on the 
basis of a successful login, which is in fact the usual 
practice, you are hosed. The normal programming model 
creates a session ID, then sets variables and flags 
associated with that session ID in response to forms 
submitted by the user.  To prevent session fixation, you 
must create the session ID with unchangeable privileges 
from the moment of creation.   Perhaps you do this, but 
very few web sites do. 

         James A. Donald

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cypherpunks-legacy mailing list