[hunchentoot-devel] Sessions not secure?
Edi Weitz
edi at agharta.de
Wed Dec 26 17:18:24 UTC 2007
On Sun, 23 Dec 2007 23:31:03 +0100, Edi Weitz <edi at agharta.de> wrote:
> On Sun, 23 Dec 2007 22:22:22 +0000 (UTC), Sohail Somani <sohail at taggedtype.net> wrote:
>
>> Hypothetically speaking, if I wanted to prevent hijacking by
>> guessing, I could just redefine hunchentoot:get-next-session-id.
>>
>> Does this sound correct?
>
> Yes, I think so.
Er, no, actually. I've seen this mentioned in your blog
http://uint32t.blogspot.com/2007/12/abusing-hunchentoots-dispatch-mechanism.html
and thought about it again. So, tell me, if you happen to know for
sure that my session ID is 42 and if you also know my user agent
string and my IP address, how would you construct a cookie to hijack
my session?
Edi.
More information about the Tbnl-devel
mailing list