Shouldn't cookies be sent and validated with MD5 signature?
ilia.
----- Original Message -----
From: "Angus Lees" <[EMAIL PROTECTED]>
To: "Embperl list" <[EMAIL PROTECTED]>
Sent: Wednesday, November 08, 2000 23:10
Subject: Re: trying to DeleteSession (security bug?)
> On Tue, Nov 07, 2000 at 12:41:52PM +0100, Gerald Richter wrote:
> > I have commited a new version into the CVS which should solve the
> > DeleteSession problem and also the GetSession problem you reported a few
> > days ago.
>
> works great
>
> currently it sends the cookie every time, but (as gerald and i
> discussed privately) i have a feeling thats a modperl 1.24 issue.
>
> if you write to %udat after calling DeleteSession, then it creates the
> session in the database (or on disk, etc), but still deletes the
> cookie. if you do this, you probably deserve to leak sessions tho ;)
> (reading after deleting is fine)
>
>
> > I don't know from where the session tainting problem comes. You may try
to
> > untaint the session_id in line 270 of Embperl/Session.pm by modifing it
> > from:
> [snip code]
> > this should untaint the newly generated session id.
>
> my point was that it tries to create whatever session the browser asks
> for. imo, if the browser has a cookie for which no session exists, the
> browser should get given a new randomly generated session, just as if
> it had no existing cookie.
>
> if it wasn't for taint, it'd be a real security issue. consider what
> would happen using FileStore and a session id of "../../bin/httpd" (or
> some path that exists).
>
>
> to reproduce:
>
> go to a page that uses %udat.
>
> quit netscape.
>
> edit ~/.netscape/cookies and change the session id to something that
> it shouldn't be.
>
> now go to a page that uses %udat again.
>
> --
> - Gus
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
