| Preventing logins to a chosen session |
|
|
There is one common denominator to all session fixation attacks and scenarios:
The user logs in to a session with an attacker-chosen ID, instead of having been issued a newly generated session ID by the server. Since there seems to be no compelling reason for web applications to explicitly allow this to happen - and seems more like a side effect of current implementations, we propose forceful prevention of logging into a chosen session. Web applications must ignore any session ID provided by the user's browser at login and must always generate a new session to which the user will log in if successfully authenticated.
|
| Security - Session fixation attacks |
| The topic on Security - Preventing logins to a chosen session is posted by - Malu |
Hope you have enjoyed, Security - Preventing logins to a chosen session . Thanks for your time.
|
