I'd primarily call all cookies with no expiration session cookies - those gets
cleared when the browser close down. Edge cases are persistent 'session
cookies', eg used when the user selected 'remember me'... But those maybe can
be detected at login?
/Martin
Skickat från min iPhone
14 sep 2012 kl. 17:32 skrev Daniel Zulla <daniel.zu...@gmail.com>:
> Hmm. Do you think it is impossible to write a session cookie detector?
>
> Generally - Sessions sort of look the same, across all languages, frameworks
> and usecases: [a-zA-Z0-9_-]+
>
> The only challenge would be look for a pattern, e.g.:
> - [a-z], [A-Z], [0-9], - and _ need to alternate at least after every second
> (or third) occurence within a string, and the strings needs to have a certain
> length.
>
> What's the shortest session that you have ever seen... Let's say 20
> characters?
>
> Also, the information that the purpose of cookie x could be session delivery,
> can be verified to a certain degree. E.g.:
>
> The w3af could loose the session, go to the login page, play arround, check
> if the server offers a new version of the cookie; re-use the old cookie,
> check if it still works, and so on.
>
> Best,
> Daniel
>
> 2012/9/14 Andres Riancho <andres.rian...@gmail.com>
> Stephen,
>
> On Fri, Sep 14, 2012 at 11:51 AM, Stephen Breen <breen.mach...@gmail.com>
> wrote:
> > I think it's difficult to identify this,
>
> Agreed, but if we would live in a world where we could identify which
> cookies are for session handling and which for "other stuff"; would
> you say that the ideas expressed in the previous email are correct?
>
> > maybe they should all be logged as
> > informational.
> >
> > Plenty of applications use custom session tokens, it wouldn't be possible to
> > separate these from other types of cookie.
> >
> > On Fri, Sep 14, 2012 at 10:46 AM, Andres Riancho <andres.rian...@gmail.com>
> > wrote:
> >>
> >> List,
> >>
> >> Yesterday I found out that w3af doesn't have a plugin that
> >> verifies if cookies have the httponly flag or not; so I decided to
> >> write it (it was going to be a 2min task) and then I asked myself: "Do
> >> all cookies need to be httponly? What's the use case where a developer
> >> needs to access a cookie from within javascript?"
> >>
> >> I think I solved this, but I need your advice on this:
> >> * All session cookies (PHPSESSID, etc.) need to be httponly,
> >> since there is no use case for a developer to access the cookie from
> >> javascript; and if he's doing it... he's doing something wrong.
> >>
> >> * All other cookies (the ones that are used for tracking,
> >> language, etc.) don't need to be httponly, but it is recommended they
> >> are. There might be some cases where the JS developer wants to access
> >> the cookie that holds the language to show A or B; so that use case we
> >> can't flag as insecure nor incorrect.
> >>
> >> Ideas?
> >>
> >> Regards,
> >> --
> >> Andrés Riancho
> >> Project Leader at w3af - http://w3af.org/
> >> Web Application Attack and Audit Framework
> >> Twitter: @w3af
> >> GPG: 0x93C344F3
> >>
> >>
> >> ------------------------------------------------------------------------------
> >> Got visibility?
> >> Most devs has no idea what their production app looks like.
> >> Find out how fast your code is with AppDynamics Lite.
> >> http://ad.doubleclick.net/clk;262219671;13503038;y?
> >> http://info.appdynamics.com/FreeJavaPerformanceDownload.html
> >> _______________________________________________
> >> W3af-develop mailing list
> >> W3af-develop@lists.sourceforge.net
> >> https://lists.sourceforge.net/lists/listinfo/w3af-develop
> >
> >
>
>
>
> --
> Andrés Riancho
> Project Leader at w3af - http://w3af.org/
> Web Application Attack and Audit Framework
> Twitter: @w3af
> GPG: 0x93C344F3
>
> ------------------------------------------------------------------------------
> Got visibility?
> Most devs has no idea what their production app looks like.
> Find out how fast your code is with AppDynamics Lite.
> http://ad.doubleclick.net/clk;262219671;13503038;y?
> http://info.appdynamics.com/FreeJavaPerformanceDownload.html
> _______________________________________________
> W3af-develop mailing list
> W3af-develop@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/w3af-develop
>
> ------------------------------------------------------------------------------
> Got visibility?
> Most devs has no idea what their production app looks like.
> Find out how fast your code is with AppDynamics Lite.
> http://ad.doubleclick.net/clk;262219671;13503038;y?
> http://info.appdynamics.com/FreeJavaPerformanceDownload.html
> _______________________________________________
> W3af-develop mailing list
> W3af-develop@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/w3af-develop
------------------------------------------------------------------------------
How fast is your code?
3 out of 4 devs don\\\'t know how their code performs in production.
Find out how slow your code is with AppDynamics Lite.
http://ad.doubleclick.net/clk;262219672;13503038;z?
http://info.appdynamics.com/FreeJavaPerformanceDownload.html
_______________________________________________
W3af-develop mailing list
W3af-develop@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-develop
