(I think) I understand that the session ID must be rotated when the user logs in - a The important step is
However, do random / session-to-session sessions have any advantage?
This only gives me false sense of security in my opinion. Assuming that session IDs are not weak to guess the brute-force, and you only send session IDs in the cookie (portion of the URL ), Then an attacker will have to get his cookie (most likely the possibility of spying on your traffic) session ID. In this case, if the attacker is a session id, they will probably be able to smell the rotated session ID - and thus rotating randomly does not increase security.
If you store session identifiers in cookies, then session determination is not a problem. Skimmed through pasteed papers and the user has things like using DNS and XSS, which are clearly much more (not mentioned, separate) problems compared to session fixation. If you have a session identifier (with an acceptable level of entropy) stored in a cookie, there is no sensible reason to rotate it. It will be the only reason to rotate because it can be guessed in some other way, in which case the user gets ownership in any form.
Comments
Post a Comment