26 Dec
2007
26 Dec
'07
5:18 p.m.
On Sun, 23 Dec 2007 23:31:03 +0100, Edi Weitz <edi@agharta.de> wrote:
On Sun, 23 Dec 2007 22:22:22 +0000 (UTC), Sohail Somani <sohail@taggedtype.net> wrote:
Hypothetically speaking, if I wanted to prevent hijacking by guessing, I could just redefine hunchentoot:get-next-session-id.
Does this sound correct?
Yes, I think so.
Er, no, actually. I've seen this mentioned in your blog http://uint32t.blogspot.com/2007/12/abusing-hunchentoots-dispatch-mechanism.... and thought about it again. So, tell me, if you happen to know for sure that my session ID is 42 and if you also know my user agent string and my IP address, how would you construct a cookie to hijack my session? Edi.