AppSec Blog: Category - Sessions

Session Attacks and PHP - Part 2

Yes, I will talk in this article about why it is not good to leave your session files in /tmp. But first, allow me to follow Jason's lead and talk about the session attacks he discussed in Part 2 of his ASP.NET article. I will keep it short Session fixation isn't really that much of … Continue reading Session Attacks and PHP - Part 2


Session Attacks and ASP.NET - Part 2

In Session Attacks and ASP.NET - Part 1, I introduced one type of attack against the session called Session Fixation as well as ASP.NET's session architecture and authentication architecture. In this post, I'll delve into a couple specific attack scenarios, cover risk reduction, and countermeasures. Attack Scenario: ASP.NET Session with Forms Authentication So understanding the … Continue reading Session Attacks and ASP.NET - Part 2


Session Attacks and PHP

This blog is of course inspired by Jason's ASP .Net blog. I figured as the PHP guy in the group, I may as well cover what he did for .Net from the PHP side. PHP's default session mechanism is rather simple and effective. The php.ini file configures how sessions work. Many of the parameters can … Continue reading Session Attacks and PHP


Session Attacks and ASP.NET - Part 1

I've spent some time recently looking for updated information regarding session attacks as they apply to ASP.NET and am still not completely satisfied with how Microsoft has decided to implement session management in ASP.NET 2.0+ (haven't looked at 4.0 beta yet). Before illustrating how a specific attack works with some specific countermeasures for ASP.NET (in … Continue reading Session Attacks and ASP.NET - Part 1