Re: Making non-cookie requests to another domain... possible DoS attack by forcing session expiration? from Anne van Kesteren on 2010-11-10 (public-webapps@w3.org from October to December 2010)

From: Anne van Kesteren <annevk@opera.com>
Date: Wed, 10 Nov 2010 21:55:42 +0100
To: "Jonas Sicking" <jonas@sicking.cc>, "Bjoern Hoehrmann" <derhoermi@gmx.net>
Cc: Getify <getify@gmail.com>, public-webapps@w3.org
Message-ID: <op.vly224m364w2qv@anne-van-kesterens-macbook-pro.local>

On Wed, 10 Nov 2010 21:40:01 +0100, Bjoern Hoehrmann <derhoermi@gmx.net>  
wrote:
> You can expire the client-side part of the session without knowing which
> session it is, so long as the browser reads the Set-Cookie header in the
> response. You could simply respond with an expired Set-Cookie header to
> any request without a Cookie header. The server-side part of the session
> would remain active, of course, but that makes no difference to users.

Ah okay. So that would never work. As things tagged with "anonymous",  
XMLHttpRequest without credentials, or AnonXMLHttpRequest would ignore  
Set-Cookie headers.


-- 
Anne van Kesteren
http://annevankesteren.nl/

Received on Wednesday, 10 November 2010 20:56:19 UTC