[Esapi-user] SideJacking Question

Lukas, Ray Ray.Lukas at supermedia.com
Wed May 25 14:12:32 EDT 2011


So ESAPI.httpUtilities().assertSecureChannel() sounds like it will take care of this for me.. By Forcing all communications from the login to logout through an SSL channel, even Ajax requests. Yes?  :)


Ray


From: Kevin W. Wall [mailto:kevin.w.wall at gmail.com]
Sent: Wednesday, May 25, 2011 12:09 PM
To: Lukas, Ray
Cc: esapi-user at lists.owasp.org
Subject: Re: [Esapi-user] SideJacking Question


The other way to address your issue is to make sure any cookies used for authN/authZ uses fhe 'secure' & 'Httponly'  flagS. I think ESAPI does this for its 'remember me' cookie. Not sure about the others.

-kevin
--
Kevin W. Wall
Sent from DroidX; please excuse typos.
On May 25, 2011 11:48 AM, "Lukas, Ray" <Ray.Lukas at supermedia.com<mailto:Ray.Lukas at supermedia.com>> wrote:
> I am new, very new, so...
> Sidejacking, roughly defined as stealing someone's authenticated session object, thereby stealing their identity.
> Solution is to never send the Session through anything that is not an SSL channel. In ESAPI, if I have this right, you say ESAPI.httpUtilities().assertSecureChannel();
> Now (at last) The Question:
> Sessions can also be transmitted by Ajax requests, right, so... Does this help me with that as well..?
>
> Thanks guys.. I am still reading and learning.. but you got my attention at least..
>
> _______________________________________________
> Esapi-user mailing list
> Esapi-user at lists.owasp.org<mailto:Esapi-user at lists.owasp.org>
> https://lists.owasp.org/mailman/listinfo/esapi-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-user/attachments/20110525/701a58b9/attachment.html 


More information about the Esapi-user mailing list