[13652] in cryptography@c2.net mail archive
Re: Session Fixation Vulnerability in Web Based Apps
daemon@ATHENA.MIT.EDU (James A. Donald)
Mon Jun 16 13:12:46 2003
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
From: "James A. Donald" <jamesd@echeque.com>
To: Ng Pheng Siong <ngps@netmemetic.com>
Date: Mon, 16 Jun 2003 09:51:39 -0700
Cc: cryptography@metzdowd.com
In-reply-to: <20030616021044.GC420@vista.netmemetic.com>
    --
James A. Donald:
> > Which is fine provided your code, rather than the framework 
> > code provided the cookie, and provided you generated the 
> > cookie in response to a valid login, as Ben Laurie does.. 
> > The framework, however, generally provides insecure 
> > cookies.
Ng Pheng Siong:
> Dynamic programming environments like Lisp, Smalltalk and 
> Python allow the application programmer to replace parts of a 
> framework with other code easily.
The word "environment", like "framework" is overloaded.   I had 
in mind such frameworks as PHP, struts, and ASP.   mod_perl 
makes you do your own damn cookie management as far as I know,
and so would not in itself cause the session fixation problem,
though programmer error might very easily cause it. 
    --digsig
         James A. Donald
     6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
     M2QqNF3SbBJ8ZBL5r77vtVp17bYimpkgCZWrCRxA
     4YMBoFimaPGsULDLow0LdwGBbNKGNfrlCjIFpMfYa
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com