Hi Arpad, On Tue, Aug 6, 2013 at 4:17 AM, Arpad Ray <[email protected]> wrote:
> On Mon, Aug 5, 2013 at 7:46 PM, Yasuo Ohgaki <[email protected]> wrote: > >> On Tue, Aug 6, 2013 at 1:04 AM, Arpad Ray <[email protected]> wrote: >> >>> I think there really should be a vote. >> >> >> This means you don't really understand the true risk of this >> vulnerability. >> It allows permanent session ID fixation. This is CVE assigned >> vulnerability. >> Details are explained in the RFC and I don't want to explain fully in ML >> again. >> (We might discussed the details in [email protected], but I think I wrote >> enough info) >> >> Please refer to the RFC. >> > > I do really understand the risk... > It allows "permanent" session ID fixation due to browser implementations. To make matter worse than old days, recent browsers only send one outstanding cookie. This made attack detection impossible at server side. (i.e. bad countermeasure(?) took by browser developers) If you curious about this vulnerability fix still, please read the RFC and do a little experiments. I did the experiment 2 years ago (and even 10 years ago). I suppose things are not changed. Regards, -- Yasuo Ohgaki [email protected]
