[REVS] Cookie Path Best Practice
From: SecuriTeam (support_at_securiteam.com)
Date: 05/20/04
- Previous message: SecuriTeam: "[UNIX] OpenBSD Procfs Memory Disclosure Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 20 May 2004 17:56:53 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Cookie Path Best Practice
------------------------------------------------------------------------
SUMMARY
The link at the bottom is a brief document discussing how and why a cookie
path should be strictly defined.
DETAILS
Abstract:
Cookies provide a method for creating a stateful HTTP session and their
recommended use is formally defined within RFC2965 and BCP44. Although
they are used for many purposes, they are often used to maintain a Session
ID (SID), through which an individual user can be identified throughout
their interaction with the site. For a site that requires authentication,
this SID is typically passed to the user after they have authenticated and
effectively maintains the authentication state. If an attacker can use a
mechanism (such as sniffing or cross site scripting) to gain access to the
SID, then potentially they can incorporate it within their own session to
successfully assume the users identity.
ADDITIONAL INFORMATION
The information has been provided by Martin O'Neal.
The original article can be found at:
<http://www.corsaire.com/white-papers/040323-cookie-path-best-practice.pdf> http://www.corsaire.com/white-papers/040323-cookie-path-best-practice.pdf
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[UNIX] OpenBSD Procfs Memory Disclosure Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
