Sylvain Wallez wrote:
This has already been identified by Leszek Gawron. Although this is an issue, it can only be exploited by hijacking a continuation ID which, if
> done, also means the ability to hijack the session ID and therefore the > associated authorizations. not only ..
1. You login.
2. Do stuff.
3. Logout.
4. Even restart your computer.
5. Go to firefox cache - the page is there (still do not know why if I set caching headers properly).
5. http://thehost.com/myapp/showReport.do. The page loads from cache. The page content has a hidden input with valid continuation.
6. submit form.
7. the report is yours!
The solution for this is the continuation-per-session manager, where a continuation ID only exists within a given session.Would you be so kind and review my solution for this? It is not quite finished (instrumentation and debug info is not implemented) but I am very eager to polish it if it could be useful to anyone but me.
-- Leszek Gawron [EMAIL PROTECTED] Project Manager MobileBox sp. z o.o. +48 (61) 855 06 67 http://www.mobilebox.pl mobile: +48 (501) 720 812 fax: +48 (61) 853 29 65
