Session fixation

...Session IDs are supposed to make online transactions secure. Sometimes, though, they can come back and bite the Web applications using them, especially if they're not implemented properly. It's important to note that almost every attack scenario using session fixation involves the criminal contacting the victim and including a preset session ID within the target URL.

As long as the victim doesn't click the link in the e-mail, the attack isn't successful. But many people do fall for these sophisticated phishing attacks. If you view the source of the e-mail, the URL is legitimate--if you click it, you will connect to the proper Web site. Only the details at the end of the URL may be confusing. For example, the characters ?SID followed by a random number-letter combination would be a session-fixation attack. Security Watch: Session fixation - CNET reviews

Linked by shanmuga Friday, 18th August 2006 12:49AM