kmx at volny
Jun 10, 2009, 3:57 AM
Views: 457
Permalink
|
|
[SPAM] Re: Session id creation
|
|
> http://dev.catalyst.perl.org/repos/Catalyst/Catalyst-Plugin-Session/0.00/trunk/t/live_session_fixation.t
>
>
> I specifically wrote a test for this, however it's a test and not
> comprehensive, and I can't see without spending time to take a
> detailed look again if your case is proved or disproved by this test.
>
> If what you're saying is true, then it's session fixation and fairly
> bad news - needs fixing.
>
According to my tests against real application t0m is right and this
straightforward session fixation attack does not work.
On the other hand there exists (at least in my opinion) another sort of
session fixation issue in Catalyst application discussed here
http://rt.cpan.org/Public/Bug/Display.html?id=46318 - however I was not
able to convince Jayk that it is a real issue :)
--
kmx
_______________________________________________
List: Catalyst[at]lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst[at]lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/
|
[SPAM] Re: Session id creation
