[hunchentoot-devel] Sessions not secure?

Wed Dec 26 17:18:24 UTC 2007

On Sun, 23 Dec 2007 23:31:03 +0100, Edi Weitz <edi at agharta.de> wrote:

> On Sun, 23 Dec 2007 22:22:22 +0000 (UTC), Sohail Somani <sohail at taggedtype.net> wrote:
>
>> Hypothetically speaking, if I wanted to prevent hijacking by
>> guessing, I could just redefine hunchentoot:get-next-session-id.
>>
>> Does this sound correct?
>
> Yes, I think so.

Er, no, actually.  I've seen this mentioned in your blog

  http://uint32t.blogspot.com/2007/12/abusing-hunchentoots-dispatch-mechanism.html

and thought about it again.  So, tell me, if you happen to know for
sure that my session ID is 42 and if you also know my user agent
string and my IP address, how would you construct a cookie to hijack
my session?

Edi.