- From: Mary Ellen Zurko <Mary_Ellen_Zurko@notesdev.ibm.com>
- Date: Tue, 8 May 2007 17:46:53 -0400
- To: "Johnathan Nightingale <johnath" <johnath@mozilla.com>
- Cc: "public-wsc-wg@w3.org" <public-wsc-wg@w3.org>
- Message-ID: <OFC8C71176.7492B5D4-ON852572D5.00774D68-852572D5.0077A839@LocalDomain>
That does seem like one in the class of vulnerabilities that arise from
presuming that the user didn't follow some malicious link, and that
attackers would never think to try to reuse/replay or inject data that the
server generated. Which does not seem to be in our charter (unless it's
specifically related to the robustness of security context information
display, or useful security context information itself). I've added it to
the place we track items like this:
http://www.w3.org/2006/WSC/wiki/FuturesAndOnePluses
Mez
Mary Ellen Zurko, STSM, IBM Lotus CTO Office (t/l 333-6389)
Lotus/WPLC Security Strategy and Patent Innovation Architect
Johnathan Nightingale <johnath@mozilla.com>
Sent by: public-wsc-wg-request@w3.org
05/08/2007 01:21 PM
To
Anil Saldhana <Anil.Saldhana@redhat.com>
cc
"public-wsc-wg@w3.org" <public-wsc-wg@w3.org>
Subject
Re: Session Fixation Issues
Hi Anil,
I haven't heard it mentioned before, but it seems like this would be
a difficult piece of context to communicate to novice users, and also
a difficult piece to programmatically identify in the first place,
since a SID-in-URL could look like almost anything.
I think the real action/recommendation here is on web site developers
to not use SID-in-URL, but that would seem to be well outside our scope.
Cheers,
Johnathan
---
Johnathan Nightingale
Human Shield
johnath@mozilla.com
On 8-May-07, at 1:05 PM, Anil Saldhana wrote:
>
> Hi all,
> I am just wondering if ever this WG has come across requests to
> handle session fixation.
> http://en.wikipedia.org/wiki/Session_fixation
>
> Regards,
> Anil
>
> --
> Anil Saldhana
> JBoss Security & Identity Management
> http://labs.jboss.com/portal/jbosssecurity/
>
>
Received on Tuesday, 8 May 2007 21:47:11 UTC