xml-dev - RE: [xml-dev] Re: Cookies at XML Europe 2004 -- Call for Participation

RE: [xml-dev] Re: Cookies at XML Europe 2004 -- Call for Participation

[ Lists Home | Date Index | Thread Index ]

To: "Elliotte Rusty Harold" <elharo@metalab.unc.edu>,"Rich Salz" <rsalz@datapower.com>
Subject: RE: [xml-dev] Re: Cookies at XML Europe 2004 -- Call for Participation
From: "Joshua Allen" <joshuaa@microsoft.com>
Date: Wed, 7 Jan 2004 15:56:37 -0800
Cc: "Berend de Boer" <berend@xsol.com>,<xml-dev@lists.xml.org>
Thread-index: AcPVbQK6MwCh0i78SDa/nwVpKL1kqQADD8ow
Thread-topic: [xml-dev] Re: Cookies at XML Europe 2004 -- Call for Participation

Regardless of whether you store your session token as Rich describes in a cookie, or in the URL, there is a danger that someone could use a man in the middle attack like you describe.  Tying the token to client IP address is a naïve approach, and will fail with clients from behind proxy farms at large ISPs.  If you are afraid of the traffic being snarfed, you have bigger problems, and should be using SSL.  Even with SSL, it is possible for a man in the middle attack to succeed (if someone can guess or otherwise obtain your token).  To prevent the man-in-middle attack altogether you need to use client certificates.

> -----Original Message-----
> From: Elliotte Rusty Harold [mailto:elharo@metalab.unc.edu]
> Sent: Wednesday, January 07, 2004 2:17 PM
> To: Rich Salz
> Cc: Berend de Boer; xml-dev@lists.xml.org
> Subject: Re: [xml-dev] Re: Cookies at XML Europe 2004 -- Call for
> Participation
> 
> At 4:15 PM -0500 1/7/04, Rich Salz wrote:
> 
> >No.  I'm saying without rest I send it once, store it at the server,
> >use a cookie to refer to it in future transactions.
> 
> Is the cookie sent unencrypted? If so, and we're not using SSL (as is
> the case in many cookie scenarios) what, if anything, prevents an
> attacker from snarfing the authentication cookie as it makes its way
> back from the client to the server (or in the other direction) and
> adding that to its own requests to the same server?
> 
> I hope there's something that prevents this. There must be. Otherwise
> this is a huge, gaping security hole much bigger than anything we've
> been arguing about, and I would think it would have lots of practical
> exploits on the Web today. Please tell me there's some reason this
> attack won't work.
> --
> 
>    Elliotte Rusty Harold
>    elharo@metalab.unc.edu
>    Effective XML (Addison-Wesley, 2003)
>    http://www.cafeconleche.org/books/effectivexml
> 
> http://www.amazon.com/exec/obidos/ISBN%3D0321150406/ref%3Dnosim/cafeaulait
> A
> 
> -----------------------------------------------------------------
> The xml-dev list is sponsored by XML.org <http://www.xml.org>, an
> initiative of OASIS <http://www.oasis-open.org>
> 
> The list archives are at http://lists.xml.org/archives/xml-dev/
> 
> To subscribe or unsubscribe from this list use the subscription
> manager: <http://lists.xml.org/ob/adm.pl>

Follow-Ups:
- Re: [xml-dev] Re: Cookies at XML Europe 2004 -- Call for Participation
  - From: John Cowan <cowan@mercury.ccil.org>

Prev by Date: Re: [xml-dev] Re: Cookies at XML Europe 2004 -- Call forParticipation
Next by Date: Re: [xml-dev] Re: Cookies at XML Europe 2004 -- Call for Participation
Previous by thread: Re: [xml-dev] Re: Cookies at XML Europe 2004 -- Call forParticipation
Next by thread: Re: [xml-dev] Re: Cookies at XML Europe 2004 -- Call for Participation
Index(es):
- Date
- Thread