|
|
Document Details
Web-Based Session Management
Description: Abstract:
Many web-based applications employ some kind of session management to create a user-friendly environment. Sessions are stored on server and associated with respective users by session identifiers (IDs). Naturally, session IDs present an attractive target for attackers, who, by obtaining them, effectively hijack users%60 identities. Knowing that, web servers are employing techniques for protecting session IDs from three classes of attacks: interception, prediction and brute-force attacks. This paper reveals a fourth class of attacks against session IDs: session fixation attacks. In a session fixation attack, the attacker fixes the user%60s session ID before the user even logs into the target server, thereby eliminating the need to obtain the user%60s session ID afterwards. There are many ways for the attacker to perform a session fixation attack, depending on the session ID transport mechanism (URL arguments, hidden form fields, cookies) and the vulnerabilities available in the target system or its immediate environment. The paper provides detailed information about exploiting vulnerable systems as well as recommendations for protecting them against session fixation attacks.
| Name |
Web-Based Session Management |
| Keywords |
|
| Filesize |
46.6 kB |
| Google Ads |
|
| Filetype |
html (Mime Type: text/html) |
| Creator |
Everybody |
| Created On: |
07/23/2006 00:00 |
| Viewers |
Everybody |
| Maintained by |
Zinho |
| Hits |
6 Hits |
| Last updated on |
12/31/1969 16:00 |
| Homepage |
|
| CRC Checksum |
|
| MD5 Checksum |
|
You need to login to download texts/tools. Register here, it's fast and free!
|
|
|
