perl-modperl mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Aleksandr Guidrevitch <>
Subject Apache::Session
Date Thu, 14 Aug 2003 10:54:07 GMT
Hi, All

Sorry, this post might be out of scope of this particular list, but 
still... don't punch me heavily :) I just think the people here might 
have met this problem while deploying big public applications.

I use Apache::Session to identify logged in users. However, the users 
are allowed to post html (obviously with javascript) messages viewable 
by others. That could create an XSS vulnerability and allow to steal the 
sessions (cookies) from other users.

Is it possible to uniquely identify the user by some attributes ?
The only thing I consider now is IP, but what about proxies and NATs ?
User Agent string could also be stolen via javascript. That means I tend 
to make stolen session ids non-reusable.

Any thoughts ?

Aleksandr Guidrevitch

View raw message