- From: Bjoern Hoehrmann <derhoermi@gmx.net>
- Date: Wed, 10 Nov 2010 21:40:01 +0100
- To: Jonas Sicking <jonas@sicking.cc>
- Cc: Getify <getify@gmail.com>, public-webapps@w3.org
* Jonas Sicking wrote: >> It was brought up by Billy Hoffman (http://zoompf.com) that some web >> applications have very sensitive sessions and they are set up to expire the >> session (ie, log the person out) if a request is received that has no >> session cookie header in it, etc. The assertion was that this type of thing >> would be a potential DoS attack vector, by allowing an unrelated website to >> include a hidden <img rel=anonymous> request in their markup that made a >> request to a site known to log out on such non-cookie requests, and thus >> effectively logging users out of the app without their control/knowledge. >How will they know which session to expire given that no cookies are >sent and so they can't who the request is coming from? You can expire the client-side part of the session without knowing which session it is, so long as the browser reads the Set-Cookie header in the response. You could simply respond with an expired Set-Cookie header to any request without a Cookie header. The server-side part of the session would remain active, of course, but that makes no difference to users. -- Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de Am Badedeich 7 · Telefon: +49(0)160/4415681 · http://www.bjoernsworld.de 25899 Dagebüll · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/
Received on Wednesday, 10 November 2010 20:40:46 UTC