cookies usually contain a sessionId to keep track of a logged user.
What would prevent a malicious user to forge millions of requests with random sessionIds and send them to a server, hoping to luckily end up with an existing session Id, and therefore stealing a random session ?
The only thing that comes to mind is the fact that the number of possibilities is quite large. However it is not infinite - I would imagine that a malicious botnet owner could easily make millions of tries in a short time.
How can I, as an application developer, prevent this ?
Thanks !
Aucun commentaire:
Enregistrer un commentaire