[cap-talk] Security considerations for cookies
Ben Laurie
benl at google.com
Tue Feb 23 11:05:29 PST 2010
On 15 February 2010 15:35, Adam Barth <w3c at adambarth.com> wrote:
> >> If the UA issues a single HTTP request, an active network attacker can
> >> spoof an HTTP redirect response and cause the UA to generate an HTTP
> >> request to the server. Now, if the user agent is configured to use
> >> Strict-Transport-Security for that host, there is some hope. :)
> >
> > Thanks for explaining. Is there a name for this attack? "Cookie
> > overwriting" sounds appropriate (and you use this term in your paper),
> but
> > Googling for this term doesn't produce many references.
>
> I don't know of a good name. Informally, we've been referring to it
> as "cookie forcing."
>
This is a form of session fixation attack. Not sure if that helps much, but
at least it nails down what the threat is.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.eros-os.org/pipermail/cap-talk/attachments/20100223/ae61590a/attachment.html
More information about the cap-talk
mailing list