Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Maia Mailgaurd http://www.renaissoft.com/maia/

from [Chuck] Network Security [Permanent Link]
Subject: Re: Maia Mailgaurd http://www.renaissoft.com/maia/
Date: Mon, 18 Jul 2005 11:57:30 -0400 
Responses below....

On 7/18/05, Achim Hoffmann <kirke11@securenet.de> wrote:

!! In short, you are better off putting the session id in a cookie than
!! putting it in the URL. 



In short, it is much simpler to steal session ids from cookies than from
URL, exceptions see below. 


No, they are both easy.  If there is a XSS on the site, then you can
get the URL with window.location.href.


Cookies are unsecure, unfortunately.


I disagree.  Cookies are often insecurely used, but they can be a part
of a "secure" application and I think that they are sufficient for the
type of application the original poster was describing.  They are not
perfect, but they are better than the alternatives that are available
in browsers today.


And more worse, most application don't take care for example by using FQDN
and proper path= attribute and secure flag.


I agree with this, applications often do not use Cookies properly,
which is part of the problem.  I also agree with you that the
application should not invalidate session IDs after some amount of
time to minimize the possibility of session hijacking.

Chuck
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  NTLM HTTP Authentication is insecure by design - a new writeup by Amit Klein, Amit Klein (AKsecurity)
Next by Date:  Re: @CHECK Re: Re: Article - A solution to phishing, Dennis W. Kennedy
Previous by Thread:  PHP Session ID's, focus
Next by Thread:  Re: Maia Mailgaurd http://www.renaissoft.com/maia/, Chuck
Indexes:  [Date] [Thread] [Top] [All Lists]