[prev in list] [next in list] [prev in thread] [next in thread] 

List:       webappsec
Subject:    RE: Session Fixation
From:       Cyrill Osterwalder <cyrill.osterwalder () seclutions ! com>
Date:       2003-04-02 7:15:12
[Download RAW message or body]


>I am currently logging the super cookie to try and determine if it
>really is unique enough.

I always prefer and also recommend to have a session identifier of which 
the uniqueness is controlled and therefore guaranteed by the server, not 
any client software. The server software should not rely on the client side 
regarding this issue.

When using SSL connections, I'm often using the SSL session ID which is 
exactly such an example where the server guarantees uniqueness. However, 
the SSL session ID also has some problems like that old browser versions do 
not keep it long enough or that you lose sessions if your server side SSL 
session pool is not big enough. If one of these issues are relevant, I 
build long enough and very good random identifiers where I guarantee 
uniqueness in the session management code.

Cyrill

---------------------------------------------------
Cyrill Osterwalder
Chief Technology Officer
http://www.seclutions.com

PGPKey FP :5C84E132BBD50AB1627BF873D3B6CAF4C70E7ACB
PGPKey URL:ldap://certserver.pgp.com



[prev in list] [next in list] [prev in thread] [next in thread]