Re: What happened with the session fixation bug?

2005-06-05 Thread Michael Cordover
James A. Donald wrote: | Adversary accesses web site as if about to log in, gets | a session ID. Then supplies false information to | someone else's browser, causes that browser on some one | else's computer to use that session ID. Someone else | logs in with hacker's session ID, and now the

Re: What happened with the session fixation bug?

2005-06-05 Thread James A. Donald
-- James A. Donald wrote: Adversary accesses web site as if about to log in, gets a session ID. Then supplies false information to someone else's browser, causes that browser on some one else's computer to use that session ID. Someone else logs in with hacker's session ID, and