Am 22.04.2012 21:38, schrieb Michael Heydekamp: >> protecting sessions from hijacking by remember the user-agent >> > at start and abort each request with the same session ID and >> > a different user-agent is common sense and some implementations >> > are also including the client IP > > Didn't know that. But how can a different user on a different machine have > the same session ID (if not by random)? Is there any way to a) get hold of > the ID of any other user's session, and b) to take influence on his own > session ID in a way that he would identify himself with the same ID?
what do you think how long it takes to write a cookie like this? the only interesting is "roundcube_sessauth=S1168d2474c3b543053461d00f9c8b1a1b1764905" beeing in a open WLAN without ssl and anybody can fake it in seconds Cookie: mailviewsplitterv=244; mailviewsplitter=262; composesplitterv=175; prefsviewsplitter=195; folderviewsplitter=300; addressviewsplitter=250; addressviewsplitterd=200; identviewsplitter=300; tl_webmail_sessid=vpxiRqxOLDa%2CM7gMP81eB2hPPc1; roundcube_sessauth=S1168d2474c3b543053461d00f9c8b1a1b1764905
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Roundcube Users mailing list users@lists.roundcube.net http://lists.roundcube.net/mailman/listinfo/users
