This is not difficult; send a message with a URL back to a web server
owned by you. When they read the message, the browser sends the session
tracking string as part of the referrer. If you extract this automatically
and hijack the session before they log out you're in.
I thought we had such a case several weeks ago, but the leak was not
through webmail .... it was a case of mistaken identity by our tech support.
----- Original Message -----
> > My question is, by checking this option, how unsecure web
> > messaging has become? Did we let down all the defenses or does it
> > still have some security enforcement mechanism?
>
> Session security is still in effect. Note the session tracking string in
the
> URL of web messaging... someone would have to get that value, and login
with
> it within 12 minutes of you being on the site.
______________________________________________________________________
The HKSI-IMail Admin List is hosted by........ Humankind Systems, Inc.
Questions, Comments or Glowing Praise...... mailto:[EMAIL PROTECTED]
Searchable List Archive.... http://www.mail-archive.com/[email protected]
To Manage your Subscription......... http://humankindsystems.com/lists
