Re: Web session tracking security prob. Vulnerable: IIS and ColdF usion (maybe others)

From: Ben Ford (bfordat_private)
Date: Thu Aug 30 2001 - 14:51:55 PDT

  • Next message: Kevin Fu: "Re: Web session tracking security prob. Vulnerable: IIS and ColdF usion (maybe others)"

    Keith.Morgan wrote:
    
    >I've always had a problem with using cookies or session variables for
    >authentication mechanisms.  These rely on client-side output.  Session
    >variables in IIS are really just temporary cookies.  I could get into a
    >whole rant about "best practices" regarding cookies, session auth etc... but
    >that's not really the purpose of my reply.  
    >
    >What I really want to know is, how does apache deal with cookies, sessions,
    >etc...  Has anyone tested to see if apache will accept user supplied cookie
    >values?
    >
    
    Well, sure it would.  But Apache is not an application server, it is 
    only a web server.  Apache doesn't care what GPC values you set, it only 
    passes them on to whatever application you are running.
    
    -b
    
    -- 
    #===================================================================#
    # More dead people have written in support of Microsoft against the #
    # DOJ than any other single group, leading UMSA (United MS Shills   #
    # of America) President Steve Barkto to lodge a formal complaint.   #
    #===================================================================#
    



    This archive was generated by hypermail 2b30 : Thu Aug 30 2001 - 15:15:30 PDT