This blog post describes a method for preventing session fixation attacks (in ASP.Net in particular). The idea is that the session id should be tied to the user's identity in a verifiable way, which means that a given session id can't be valid for both the attacker and the victim. Their construction uses:
select random nonce
session_id = nonce || MAC(nonce || username).
For an application that runs on a cluster, distributing or changing the MAC key can be inconvenient. What is lost if the MAC is replaced by an unkeyed hash?
select random nonce
session_id = nonce || Hash(nonce || username).
It does mean that an attacker can generate session ids that are valid for a given identity, but it's still true that a session id won't be accepted for both attacker and victim. Is there a weakness with this approach?
Aucun commentaire:
Enregistrer un commentaire