Comments on: Airtight sessions

By: Kovacs

Kovacs — Sun, 15 Apr 2007 23:17:06 +0000

Uhm… a similar exploit to this has been around for a while except to my knowledge could only be performed if the victim went from site A straight to site B. Nice article nonetheless and I’m liking the new site… could do with a little bit of design clean up though… like when your numbered lines in the code get into double digits, the former digit extrudes from within the box.

By: Bas

Bas — Sun, 15 Apr 2007 09:54:59 +0000

Site B will be able to make an HTTP POST request, but it can not set the session ID in question because it does not have access to it.

The problem lies in the fact that site B can send a request to site A and trick the browser into sending site A’s cookie, too. However, it can never read the cookie data for site A (not with this particular exploit, anyway).

By: Vincent

Vincent — Sun, 15 Apr 2007 09:17:30 +0000

But why wouldn’t site B be able to make a HTTP POST request and send the session ID in it? How will an attack look if airtight sessions (i.e. what will happen when it fails)? How does this prevent the attack?