> 1) The application sets a session ID for a non-authenticated user. When the > user authenticates, the session ID is not changed. If the attacker can > access this session ID token then they will be able to steal the user's > session.
Are you issuing the session ID token over an insecure channel at any point? If you communicate over a secure channel exclusively, then your concerns are arguably moot. If an attacker can intercept data over the secure channel you've got bigger problems. If you alternate between http/https, then you're in violation of OWASP guidelines. [1] > 2) The attacker can "force" the user to use a token they have created. This > is accomplished by the attacker visiting the site and being assigned a > session ID. Session IDs and moreover CAS tokens are bearer tokens and have all the benefits and risks thereof. [2] M [1] https://www.owasp.org/index.php/Top_10_2010-A9 [2] https://wiki.jasig.org/display/CASC/Client+Security+Recommendations -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
