This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Talk:OWASP Periodic Table of Vulnerabilities - Cookie Theft/Session Hijacking

From OWASP
Revision as of 18:33, 30 September 2015 by Apgiannakidis (talk | contribs) (Tying the session ID to the SSL session is a wrong advice to suggest)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

This page suggests the following:

"Tie the session ID to the SSL session and provide configurable options for actions to take if the session ID is transmitted over a new SSL session. Expose integration points with perimeter technologies to facilitate SSL termination, renegotiation, and other transitions."

I believe that this is wrong and impractical. The risk of breaking the normal application flow is really big. SSL Session ID is undependable to be the basis for user identification.

More information here: http://security.stackexchange.com/questions/101440/tie-the-session-id-to-the-ssl-session http://stackoverflow.com/questions/2817325/retrieve-ssl-session-id-in-asp-net/2885177#2885177