[Owasp-cincinnati] Generate different session id for security

Zhou, Yan yzhou at medplus.com
Thu Jun 19 10:16:53 EDT 2008

Hi there, 


I read that a Web app needs to issue a different session id when user
enters protected page (e.g., from HTTP to HTTPS), or enters a more
privileged page. This all make sense for security. But I do not know
what is the best way to carry session data over to the new session?


User would not be happy if after he enters HTTPS page or a more
privileged page, all his data in previous session is lost. Is this an
issue or am I missing something?




Confidentiality Notice: The information contained in this electronic transmission is confidential and may be legally privileged. It is intended only for the addressee(s) named above. If you are not an intended recipient, be aware that any disclosure, copying, distribution or use of the information contained in this transmission is prohibited and may be unlawful. If you have received this transmission in error, please notify us by telephone (513) 229-5500 or by email (postmaster at MedPlus.com). After replying, please erase it from your computer system.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-cincinnati/attachments/20080619/37d87967/attachment.html 

More information about the Owasp-cincinnati mailing list