[Esapi-user] SideJacking Question

Kevin W. Wall kevin.w.wall at gmail.com
Wed May 25 12:09:26 EDT 2011


The other way to address your issue is to make sure any cookies used for
authN/authZ uses fhe 'secure' & 'Httponly'  flagS. I think ESAPI does this
for its 'remember me' cookie. Not sure about the others.

-kevin
--
Kevin W. Wall
Sent from DroidX; please excuse typos.
On May 25, 2011 11:48 AM, "Lukas, Ray" <Ray.Lukas at supermedia.com> wrote:
> I am new, very new, so...
> Sidejacking, roughly defined as stealing someone's authenticated session
object, thereby stealing their identity.
> Solution is to never send the Session through anything that is not an SSL
channel. In ESAPI, if I have this right, you say
ESAPI.httpUtilities().assertSecureChannel();
> Now (at last) The Question:
> Sessions can also be transmitted by Ajax requests, right, so... Does this
help me with that as well..?
>
> Thanks guys.. I am still reading and learning.. but you got my attention
at least..
>
> _______________________________________________
> Esapi-user mailing list
> Esapi-user at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/esapi-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-user/attachments/20110525/862d593f/attachment.html 


More information about the Esapi-user mailing list