Am 22.04.2012 21:38, schrieb Michael Heydekamp:
protecting sessions from hijacking by remember the user-agent
at start and abort each request with the same session ID and a different user-agent is common sense and some implementations are also including the client IP
Didn't know that. But how can a different user on a different machine have the same session ID (if not by random)? Is there any way to a) get hold of the ID of any other user's session, and b) to take influence on his own session ID in a way that he would identify himself with the same ID?
what do you think how long it takes to write a cookie like this? the only interesting is "roundcube_sessauth=S1168d2474c3b543053461d00f9c8b1a1b1764905"
beeing in a open WLAN without ssl and anybody can fake it in seconds
Cookie: mailviewsplitterv=244; mailviewsplitter=262; composesplitterv=175; prefsviewsplitter=195; folderviewsplitter=300; addressviewsplitter=250; addressviewsplitterd=200; identviewsplitter=300; tl_webmail_sessid=vpxiRqxOLDa%2CM7gMP81eB2hPPc1; roundcube_sessauth=S1168d2474c3b543053461d00f9c8b1a1b1764905