[Owasp-topten] Session Fixation in Identity Manager (IdM) based Single Sign-On (SSO) Environments

vanderaj vanderaj vanderaj at owasp.org
Tue Jul 17 07:07:29 UTC 2012


Make sure you look at this issue as well in the session management update
in the Top 10:

*Session puzzling and session race conditions*
http://sectooladdict.blogspot.com.au/2011/09/session-puzzling-and-session-race.html

Session puzzling has not got anywhere near the awareness, traction, nor
testing that is required, and yet is so simple to do once *understood*,
practiced, and learnt. I've seen it recently, but does require a certain
application architecture and mis-implementation, which many IdM and SSO
implementations seem to do.

Is it very common? No, but it's easy enough to mention, like we do for
CSRF.

thanks,
Andrew
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-topten/attachments/20120717/7637adf5/attachment.html>


More information about the Owasp-topten mailing list