Re: [Phplib-users] Doc suggestions
Brought to you by:
nhruby,
richardarcher
Menu
▾
▴
Re: [Phplib-users] Doc suggestions
|
From: Kristian K. <kk...@ne...> - 2002-07-09 15:22:12
|
Am Dienstag, 9. Juli 2002 16:51 schrieb Maxim Derkachev: > Security downgraded only for those who don't accept cookies > and take the risk of session being hijacked if urls they get > are stolen from the remote proxy logs or published in the > Internet. URL IDs leak like hell. They are being logged by proxies (true=20 for hostname and path component IDs, not true for Squid and GET=20 parameters). They leak via references header (true for all three=20 systems). They are being bookmarked (true for all). They are=20 mailed (true for all) or worse, printed in magazines. Cookies don't do any of this. Cookies are highly preferred as a=20 mode of ID propagation. For true security, SSL is a necessity independent of ID=20 propagation mode. Still, cookies are even preferred in this=20 situation due to references, bookmarks and mail. > of it either. How the fact a session with id 'foo' is created > can be a security hole? It enables "known session id" attacks on unsuspecting end users.=20 In this attack model, Charlie sends mail with prepared URLs to=20 Bob, inviting them to Alices Online Restaurant. Since Charlies=20 invitations already contain IDs, Charlie does know Bobs session=20 ID and can hijack Bobs session easily. A session library should check if a session record for a given ID=20 is present, and if it isn't should generate a new, random ID=20 with an empty session record, then restart the session. This=20 will protect against the above attacker model. Kristian |
