James A. Donald wrote: > -- > On 12 Jun 2003 at 16:25, Steve Schear wrote: > http://www.acros.si/papers/session_fixation.pdf > > Wow. > > This flaw is massive, and the biggest villain is the server > side code created for Apache. > > When you login to your bank, your e-gold account, your > stockbroker, or your domain registrar, someone else can share > your login. > > It is a security design error in the development environments > for active server pages (all of them) . Every such development > environment will have to be changed, and every login script > written for existing environments needs to have some kind of > workaround cobbled into it. > > The ideal solution is to change the development environment so > that your session identifier is linked to the shared symmetric > key used in any https conversation during that session, which > requires tight coupling of https and development environments > for active server pages. > > In the long term, https must be amended to have a concept of > login and session, and make that sessionID available to the > server side coding environments.
This isn't the case. I analysed several sites I work on for attacks of the type described when this paper first came out. None of them were vulnerable. I suggest you read and think more carefully. I will agree that an incautious implementor could get bitten by these attacks, though. Cheers, Ben. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]