« Continuation Cross Talk | Main | Case Of The Disappearing Tags »

18 March 2004

Session Hijacking?

[Software] 

There's a meme going around that opaque URLs used in continuation-based frameworks (or cookies, or whatever) are
susceptible to _session hijacking_. That is, if an adversary (usually a guy named Mallory) gets hold of such a URL that a
web user (Alice) has, he could continue the continuation (duh) named by said URL.

(Referring to my previous entry, I first saw "session hijacking" in this context yesterday or the day before. But I can't find the references now, to ruminate on what was being said where in what context. Must I run a personal proxy that indexes every page I visit?)

If Alice and Mallory are using the URL simultaneously, they present the server with a _race condition_. If Mallory is able to force the server to accept his actions and discard Alice's, that's session hijacking.

If Mallory is using the URL after Alice has already shutdown her session, he's doing a _replay attack_. (Or he's _reusing a capability_.)

It also matters whether the operations involved are _idempotent_: GETs are; POSTs, PUTs and DELETEs aren't.

Let not a meme hijack reflection on a topic, eh?



Posted by ngps at 14:08 | Comments (0) | Trackbacks (0)
Comments
There is no comment.
Trackbacks
Please send trackback to:http://sandbox.rulemaker.net/ngps/11/tbping
There is no trackback.