|
|
Posted by Curt Zirzow on 10/21/81 11:31
On Tue, Nov 08, 2005 at 11:32:33PM -0500, Ben Ramsey wrote:
> On 11/8/05 10:27 PM, Tony Di Croce wrote:
> >
> >The sites are both physically located on the same machine.
> >
> >What if I encrypt the session_id, and put it in a "hidden" text input
> >box in a form, that is delivered via POST to the other site. This way,
> >the session id is passed, but it is encrypted?
>
> To me, it's not a question of whether the sites are physically located
> on the same machine, and it's not a question of encrypting the session
> id. Anyone who even knows the encrypted session id could then POST it to
> the form in a replay attack, authenticating themselves as the intended
> user. Also, hidden form fields aren't really "hidden."
>
> For me, it's a question of practice. I would not attempt to share a
> session across to different domains. Even large sites (such as Yahoo)
> don't seem to do this.
>
> Yahoo appears to maintain sessions across its subdomains, and, for this
> reason, all Yahoo images are served from a completely separate domain
> (yimg.com). None of the images served from yimg.com contain the cookie
> headers associated with yahoo.com (and, thus, they are not associated
> with any user sessions). There are two reasons (I know of) for doing
> this: 1) bandwidth (less data passing across the HTTP headers), and 2)
> it prevents CSRF attacks on Yahoo user accounts that could occur by
> attackers serving images from a yahoo.com domain on other sites.
3) less headaches for the programmers for yimg.com
Curt.
--
Navigation:
[Reply to this message]
|