Roel,
On 11/24/15 2:19 PM, Roel Storms wrote:
> When I am in a hurry to get a website up and running and I have no
> resources to do so, security is going to be my last concern.
This item should be listed as #1 on OWASP's list of the Most Critical
Application Security Risks.
-chris
The only way cookie based session management is secure, is when
you apply a number of countermeasures:
Correct flags, path and domain attributes, no un-trusted applications
on subdomains (solved by origin cookies), ...
You run it over TLS to withstand sniffers.
There is no clean mechanism to share
Roel,
On 11/24/15 10:43 AM, Roel Storms wrote:
> 2015-11-24 16:11 GMT+01:00 Christopher Schultz > :
>
>> Roel,
>>
>> On 11/24/15 9:44 AM, Roel Storms wrote:
>>> I am trying to protect the client from:
>>>
>>> Session fixation
>>
>> Tomcat already provides session-fixation protection when using UR
2015-11-24 16:11 GMT+01:00 Christopher Schultz :
> Roel,
>
> On 11/24/15 9:44 AM, Roel Storms wrote:
> > I am trying to protect the client from:
> >
> > Session fixation
>
> Tomcat already provides session-fixation protection when using URL-based
> or cookie-based session-tracking. When authentica
Roel,
On 11/24/15 9:44 AM, Roel Storms wrote:
> I am trying to protect the client from:
>
> Session fixation
Tomcat already provides session-fixation protection when using URL-based
or cookie-based session-tracking. When authentication occurs, Tomcat
will change the session identifier, effective
I am trying to protect the client from:
Session fixation
Session hijacking
Assure that requests that are received in an established session can't be
modified in transit (integrity of requests).
Maybe I also want to check integrity of the response since otherwise an
active MitM attack can still mod
Roel,
On 11/24/15 9:17 AM, Roel Storms wrote:
> TLS will sign everything and therefor will not allow fine-grained integrity
> checking. Why do we want this? Middleboxes might alter some non-security
> sensitive information and I don't want to drop those requests. But I am
> looking into TLS alread
Roel,
On 11/24/15 5:12 AM, Roel Storms wrote:
> It's to implement a new session mechanism that guarantees integrity of the
> requests sent in the session and also protect the session from attacks
> based on stealing or replacing the session identifier. This is a thesis I'm
> working on and this To
André,
On 11/23/15 11:18 AM, André Warnier (tomcat) wrote:
> On 23.11.2015 16:31, Mark Thomas wrote:
>> On 23/11/2015 14:30, Roel Storms wrote:
>>> Hello,
>>>
>>> I am working on a Valve that does some integrity checking on HTTP
>>> requests
>>> (the details aren't important) where I need this val
TLS will sign everything and therefor will not allow fine-grained integrity
checking. Why do we want this? Middleboxes might alter some non-security
sensitive information and I don't want to drop those requests. But I am
looking into TLS already to see if I can use it for my purpose. We
certainly d
On 24/11/2015 10:12, Roel Storms wrote:
> It's to implement a new session mechanism that guarantees integrity of the
> requests sent in the session and also protect the session from attacks
> based on stealing or replacing the session identifier. This is a thesis I'm
> working on and this Tomcat va
It's to implement a new session mechanism that guarantees integrity of the
requests sent in the session and also protect the session from attacks
based on stealing or replacing the session identifier. This is a thesis I'm
working on and this Tomcat valve should prove that migration from cookie
base
On 23.11.2015 21:14, Roel Storms wrote:
Ok, thank you for the clear response. I see the problem with file type
elements.
If you really have an overwhelming need to pre-check whole POST bodies before passing them
to a Tomcat application, you may want to think about fronting your Tomcat server w
Ok, thank you for the clear response. I see the problem with file type
elements.
2015-11-23 17:18 GMT+01:00 André Warnier (tomcat) :
> On 23.11.2015 16:31, Mark Thomas wrote:
>
>> On 23/11/2015 14:30, Roel Storms wrote:
>>
>>> Hello,
>>>
>>> I am working on a Valve that does some integrity checki
On 23.11.2015 16:31, Mark Thomas wrote:
On 23/11/2015 14:30, Roel Storms wrote:
Hello,
I am working on a Valve that does some integrity checking on HTTP requests
(the details aren't important) where I need this valve to have access to
the HTTP request body as well. I used request.getInputStream
2015-11-23 16:31 GMT+01:00 Mark Thomas :
> On 23/11/2015 14:30, Roel Storms wrote:
> > Hello,
> >
> > I am working on a Valve that does some integrity checking on HTTP
> requests
> > (the details aren't important) where I need this valve to have access to
> > the HTTP request body as well. I used
On 23/11/2015 14:30, Roel Storms wrote:
> Hello,
>
> I am working on a Valve that does some integrity checking on HTTP requests
> (the details aren't important) where I need this valve to have access to
> the HTTP request body as well. I used request.getInputStream to fetch the
> data. However whe
17 matches
Mail list logo
