Sorry, this post might be out of scope of this particular list, but still... don't punch me heavily :) I just think the people here might have met this problem while deploying big public applications.
I use Apache::Session to identify logged in users. However, the users are allowed to post html (obviously with javascript) messages viewable by others. That could create an XSS vulnerability and allow to steal the sessions (cookies) from other users.
Is it possible to uniquely identify the user by some attributes ?
The only thing I consider now is IP, but what about proxies and NATs ?
User Agent string could also be stolen via javascript. That means I tend to make stolen session ids non-reusable.
Any thoughts ?
Sincerely, Aleksandr Guidrevitch
