[Zope] CoreSessionTracking: Brute-Forcing Web Application Session IDs
Frank Tegtmeyer
fte@lightwerk.com
27 Nov 2001 11:46:45 +0100
"Chris McDonough" <chrism@zope.com> writes:
> This is annoying, of course, but it's not too bad yet.
Yes, it's annoying and because it can be made harder easily I
recommend to do so. That's the thing I wanted to point out.
> casually guess (19 characters, 8 of which are randomly generated), are
> there mitigatable risks which have a solution that doesn't depend on
> unchanging IP addresses that I'm overlooking?
It's very cost effective to integrate a hash and a secret: It does
cost nearly nothing for you, the maintainer of CoreSessions and it
really costs nothing besides a few CPU cycles for the sites using
it. But it makes it *much* harder for potential attackers to go for a
session id.
So I think it should be done:)
Of course you are right to tell the people not to rely on sessions for
sensitive data. For that there should be an integrated solution to
require SSL for sensitive pages/views.
Regards, Frank
--
CTO fte@Lightwerk.com http://www.Lightwerk.com/
Fax: +49-2434-80 07 94 Phone: +49-2434-80 07 81
Lightwerk GmbH * An der Kull 11 * 41844 Wegberg * Germany