On Fri, Feb 23, 2001 at 03:26:16PM -0000, Magnús Þór Torfason wrote:
> My theoretical scenario was:
> The session ID is NOT cryptographically secure.
> The attacker enters the url for turbine (ssl or not)and gets back a session
> ID.
> He then tries different subtle variations on the session ID, and tries this
> until he hits a session that another user has already created. He has then
> stolen a session from a legitimate user, without intercepting any
> information sent between the user and server, and without guessing the
> user's password.
There was a big discussion about this on the tomcat-dev list a while
back, which is why they decided to use SecureRandom as the session ID
generator by default, so that valid session IDs should not be guessable.
--
Sean Legassick
[EMAIL PROTECTED]
Je suis un homme: rien d'humain en m'est étranger
------------------------------------------------------------
To subscribe: [EMAIL PROTECTED]
To unsubscribe: [EMAIL PROTECTED]
Search: <http://www.mail-archive.com/turbine%40list.working-dogs.com/>
Problems?: [EMAIL PROTECTED]
