-- On 12 Jun 2003 at 16:25, Steve Schear wrote: http://www.acros.si/papers/session_fixation.pdf
Wow. This flaw is massive, and the biggest villain is the server side code created for Apache. When you login to your bank, your e-gold account, your stockbroker, or your domain registrar, someone else can share your login. It is a security design error in the development environments for active server pages (all of them) . Every such development environment will have to be changed, and every login script written for existing environments needs to have some kind of workaround cobbled into it. The ideal solution is to change the development environment so that your session identifier is linked to the shared symmetric key used in any https conversation during that session, which requires tight coupling of https and development environments for active server pages. In the long term, https must be amended to have a concept of login and session, and make that sessionID available to the server side coding environments. --digsig James A. Donald 6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG SnDt+rS7QWjKfmo0bTes8RJ5F6sGgF/gULJmRunl 4xIiGoxSbiGMryITmfRKr11XPrglqtpA2RWHUDI+p --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]