[Owasp-testing] Copy Cookies
Dave van Stein
dvstein at gmail.com
Thu Jul 22 06:32:47 EDT 2010
> > In order for this trust to be legitimate the application should have a
> mechanism to validate the authenticity of this token. Just accepting any
> token that happens to be an active token is like only asking for a username
> (and no password) and assuming everybody will only use his/her username.
> ...IF and only IF we also assumed that users picked a 128 bit random
> username every time, in which case, the app has the same level of security
> (or insecurity) as a traditional web app that used a 128bit random session
...IF and only IF we assume that every session token is a 128 bit random
value which is not always the case ...
But the predictability of the session token is not really the issue here.
The fundamental issue is that for authentication usually you need at least
two things: a username and a password. Not taking into consideration user
stupidity these are difficult to obtain. In session management you
essentially strip this down to only 1 thing; the token. When you obtain the
token no additional information is needed to gain access if the authenticity
of the token is not validated. Therefore I think it is a good practice to
compensate this by implementing a session management variation on two-factor
authentication being validating the session id against some client-side
But you're right this discussion is becoming very academic and fundamental
and for 99% of the applications there are more serious things to worry about
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-testing