W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2010

Re: Making non-cookie requests to another domain... possible DoS attack by forcing session expiration?

From: Anne van Kesteren <annevk@opera.com>
Date: Wed, 10 Nov 2010 21:55:42 +0100
To: "Jonas Sicking" <jonas@sicking.cc>, "Bjoern Hoehrmann" <derhoermi@gmx.net>
Cc: Getify <getify@gmail.com>, public-webapps@w3.org
Message-ID: <op.vly224m364w2qv@anne-van-kesterens-macbook-pro.local>
On Wed, 10 Nov 2010 21:40:01 +0100, Bjoern Hoehrmann <derhoermi@gmx.net>  
> You can expire the client-side part of the session without knowing which
> session it is, so long as the browser reads the Set-Cookie header in the
> response. You could simply respond with an expired Set-Cookie header to
> any request without a Cookie header. The server-side part of the session
> would remain active, of course, but that makes no difference to users.

Ah okay. So that would never work. As things tagged with "anonymous",  
XMLHttpRequest without credentials, or AnonXMLHttpRequest would ignore  
Set-Cookie headers.

Anne van Kesteren
Received on Wednesday, 10 November 2010 20:56:19 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:13:13 UTC