From: <e_a...@ya...> - 2004-12-22 09:30:48
|
I use "sequence numbers" to avoid the problem. It's basically a similar solution to the "secrets" mentioned in the article. An increasing integer number is send back to client with every request. The client must put it back to the server with each new request. It has the added advantage (that was really my primary intention) that it can be used with other usefull purposes (for example, forbidding reloading of "critical" pages by just checking the sequence number has/has not already been used). An external attacker has no piece idea what the next sequence number must be so Session Riding is not possible (At least that's what I think). I don't know how this mechanism or something similar could be added in a general way to the Webware framework, but it would be great if brighter brain that mine could get it done. Regards! Enrique --- Frank Barknecht <fb...@fo...> escribió: > Hi, > > maybe you have already seen this one some news > sites, but this > document on "Session Riding" [1] IMO discusses a > very important > security issue with web based applications like you > all probably > develop with Webware, too, and it shines new light > on the Cookie vs. > URL-session debate. Essential reading! > > [1] > http://www.securenet.de/papers/Session_Riding.pdf > > Ciao > -- > Frank Barknecht _ > ______footils.org__ > > > ------------------------------------------------------- > SF email is sponsored by - The IT Product Guide > Read honest & candid reviews on hundreds of IT > Products from real users. > Discover which products truly live up to the hype. > Start reading now. > http://productguide.itmanagersjournal.com/ > _______________________________________________ > Webware-discuss mailing list > Web...@li... > https://lists.sourceforge.net/lists/listinfo/webware-discuss > |