Re: Web session tracking security prob. Vulnerable: IIS and ColdF usion (maybe others)

From: Ben Ford (bford@erisksecurity.com)
Date: 08/30/01

• Previous message: Kevin Fu: "Re: Web session tracking security prob. Vulnerable: IIS and ColdF usion (maybe others)"
• In reply to: Keith.Morgan: "RE: Web session tracking security prob. Vulnerable: IIS and ColdF usion (maybe others)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Message-ID: <3B8EB57B.4040501@erisksecurity.com>
Date: Thu, 30 Aug 2001 14:51:55 -0700
From: Ben Ford <bford@erisksecurity.com>
To: "'vuln-dev@securityfocus.com'" <vuln-dev@securityfocus.com>
Subject: Re: Web session tracking security prob. Vulnerable: IIS and ColdF	usion (maybe others)

Keith.Morgan wrote:

>I've always had a problem with using cookies or session variables for
>authentication mechanisms. These rely on client-side output. Session
>variables in IIS are really just temporary cookies. I could get into a
>whole rant about "best practices" regarding cookies, session auth etc... but
>that's not really the purpose of my reply.
>
>What I really want to know is, how does apache deal with cookies, sessions,
>etc... Has anyone tested to see if apache will accept user supplied cookie
>values?
>

Well, sure it would. But Apache is not an application server, it is
only a web server. Apache doesn't care what GPC values you set, it only
passes them on to whatever application you are running.

-b

-- 
#===================================================================#
# More dead people have written in support of Microsoft against the #
# DOJ than any other single group, leading UMSA (United MS Shills   #
# of America) President Steve Barkto to lodge a formal complaint.   #
#===================================================================#

---

• Previous message: Kevin Fu: "Re: Web session tracking security prob. Vulnerable: IIS and ColdF usion (maybe others)"
• In reply to: Keith.Morgan: "RE: Web session tracking security prob. Vulnerable: IIS and ColdF usion (maybe others)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Sessions/Cookies between sites ... - Use a SQL database to persist session variables at the end of each session. ... Your apps would call that component. ... session variables and cookies will not be shared ... (microsoft.public.inetserver.asp.db) Re: newbie havin great fun ... > that means cookies, POSTs, REQUEST headers and URLs, of course ... > On the server they only take a few bytes of RAM. ... But you can put your session files to a ram disk:) ... session variables (all the real data that's *associated* with ... (comp.lang.php) Re: Hiding variables passed via URL ... well you can view cookies as well. ... What else constitutes a 'session variable' apart from POST or GET data ... But then you don't understand that session variables aren't POST or GET ... You could coordinate PHP with Javascript. ... (comp.lang.php) Re: Hiding variables passed via URL ... well you can view cookies as well. ... What else constitutes a 'session variable' apart from POST or GET data ... But then you don't understand that session variables aren't POST or GET ... You could coordinate PHP with Javascript. ... (comp.lang.php) Re: php vs. apache login verification security? ... the last password change and the last login date. ... I use PHP sessions and session variables for managing whether a user is ... choose to use cookies if the user's browser is set up for it). ... (alt.php)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Mailing-Lists  > securityfocus  > vuln-dev  > 2001-08