From: Achim Dreyer (adreyer@math-mail.uni-paderborn.de)
Date: Thu Dec 11 2003 - 11:55:10 EST
On Thu, 11 Dec 2003, Rajesh Jose wrote:
> Hi,
>
> I didn't get "encrypted session token cookie". Normally nobody will be
> encrypting a session token. So far as the session token is strongly
> random nothing can be achieved by encrypting it.
> Or did you mean secure cookie?
> Secure cookie is a cookie which can be fetched by the server only
> through a SSL channel.
>
> In all these cases "encrypted, not-encrypted and secured" it is possible
> to fetch a cookie through XSS attack and replay the session.
>
> Replaying of session token will not possible if the application is using
> source IP for session validation.
.. unless of course when user and attacker live on the same system, which
is quite possible on any unix system or something like a citrix server
(farm).
Regards,
Achim Dreyer
-- A. Dreyer, Senior SysAdmin (UNIX&Network) / Internet Security Consultant --------------------------------------------------------------------------- ----------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:44 EDT