RE: CSS, CSS & let me give you some more CSS
From: info@elitesoft.orgDate: 02/01/02
- Previous message: keks_revda: "SmallHTTP smallest problemm"
- Maybe in reply to: Obscure: "RE: CSS, CSS & let me give you some more CSS"
- Next in thread: Bill Pennington: "Re: CSS, CSS & let me give you some more CSS"
- Reply: Bill Pennington: "Re: CSS, CSS & let me give you some more CSS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: <info@elitesoft.org> Date: Fri, 1 Feb 2002 11:08:59 -0500 To: Obscure <obscure@eyeonsecurity.net>
If you use IP address for session cookie attacker can't use
stolen cookie.
However, you can't use IP address when BGP or Proxy are used.
In this case the best protection is to change session cookie
for each transaction using transaction counter.
This will provide a transaction non-repudiation.
If such session cookie is stolen and used by a hacker prior
to a user, then user session will be blown away.
Mike
- Previous message: keks_revda: "SmallHTTP smallest problemm"
- Maybe in reply to: Obscure: "RE: CSS, CSS & let me give you some more CSS"
- Next in thread: Bill Pennington: "Re: CSS, CSS & let me give you some more CSS"
- Reply: Bill Pennington: "Re: CSS, CSS & let me give you some more CSS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
