Network Security: Detailed info on Re: Cookie not expiring...

Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.

Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.

Network Security Web-App-Sec

[Top] [All Lists]

Re: Cookie not expiring...

from [Rogan Dawes] Network Security

[Permanent Link]

Subject:	Re: Cookie not expiring...
Date:	Wed, 17 Aug 2005 13:54:06 +0200

bryan allott wrote:

i dont think the session is actually available. maybe what is happening is that a new session with the same identifier is being resurrected? read the following from msdn..

"Session identifiers for abandoned or expired sessions are recycled by default. That is, if a request is made that includes the session identifier for an expired or abandoned session, a new session is started using the same session identifier. You can disable this by setting regenerateExpiredSessionId attribute of the <sessionState> configuration element to true. For more information, see Session Identifiers."
..NET Framework
Supported in: 2.0, 1.1, 1.0
try that?

This sounds like the application would be vulnerable to session fixation attacks (http://www.acros.si/papers/session_fixation.pdf) if it allows arbitrary session id's to be (re-)created on the fly.

Rogan

[More with this subject...]

<Prev in Thread]	Current Thread	[Next in Thread>
Cookie not expiring..., spawn security Re: Cookie not expiring..., bryan allott RE: Cookie not expiring..., Dan Simon Re: Cookie not expiring..., Rogan Dawes <= Re: Cookie not expiring..., Thomas Chiverton RE: Cookie not expiring..., Steven Rebello RE: Cookie not expiring..., David Knapman Re: Cookie not expiring..., dharmeshmm RE: Cookie not expiring..., Dan Simon Windows 2003 Server Hardening, Joe Osborn Re: Windows 2003 Server Hardening, jcarr083 RE: Windows 2003 Server Hardening, Sarbjit Singh Gill RE: Windows 2003 Server Hardening, Aleksander P. Czarnowski

Previous by Date:	RE: Cookie not expiring..., Dan Simon
Next by Date:	Re: RE: MD5 Password encoding (was: Defeating Citi-Bank Virtual Keyboard Protection), mike
Previous by Thread:	RE: Cookie not expiring..., Dan Simon
Next by Thread:	Re: Cookie not expiring..., Thomas Chiverton
Indexes:	[Date] [Thread] [Top] [All Lists]