Re: [hunchentoot-devel] Sessions not secure?

26 Dec 2007


      On Sun, 23 Dec 2007 23:31:03 +0100, Edi Weitz edi@agharta.de wrote:
...
On Sun, 23 Dec 2007 22:22:22 +0000 (UTC), Sohail Somani sohail@taggedtype.net wrote:
...
Hypothetically speaking, if I wanted to prevent hijacking by
guessing, I could just redefine hunchentoot:get-next-session-id.
Does this sound correct?
Yes, I think so.
Er, no, actually.  I've seen this mentioned in your blog
http://uint32t.blogspot.com/2007/12/abusing-hunchentoots-dispatch-mechanism....
and thought about it again.  So, tell me, if you happen to know for
sure that my session ID is 42 and if you also know my user agent
string and my IP address, how would you construct a cookie to hijack
my session?
Edi.

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

Re: [hunchentoot-devel] Sessions not secure?