Re: Re: [RFC Discussion] Precise Session Management

From:	Yasuo Ohgaki	Date:	Wed, 27 Jan 2016 02:04:46 +0000
Subject:	Re: Re: [RFC Discussion] Precise Session Management
References:	1 2 3 4 5 6 7 8 9 10 11	Groups:	php.internals
Request:	Send a blank email to [email protected] to get a copy of this message

Hi!

On Wed, Jan 27, 2016 at 11:02 AM, Yasuo Ohgaki <[email protected]> wrote:
>
> There are 2 ways to keep/generate stolen session
>
>  - Set undeletable cookie to browser
>  - Get active session via exploit and access it before GC
>
> As I have already explained, getting active session ID is trivial with
> access to psychical device. e.g. Steal colleges' session ID while they
> are leaving desk. It's just a matter of displaying session ID cookie
> and take picture of it.

  - Set undeletable cookie to browser

this is

  - Set unchangable cookie to browser

to be precise.

--
Yasuo Ohgaki
[email protected]


   

Thread (39 messages)

• Yasuo OhgakiFri, 18 Dec 2015 22:33:10 +0000
  • Yasuo OhgakiMon, 21 Dec 2015 01:01:47 +0000Re: [RFC Discussion] Precise Session Management
    • Mike WillbanksMon, 21 Dec 2015 04:24:24 +0000Re: Re: [RFC Discussion] Precise Session Management
      • Yasuo OhgakiTue, 22 Dec 2015 05:37:12 +0000
        • Grzegorz ZdanowskiTue, 22 Dec 2015 08:42:26 +0000
          • Yasuo OhgakiTue, 22 Dec 2015 09:22:45 +0000
            • Yasuo OhgakiTue, 22 Dec 2015 23:27:09 +0000
  • Stanislav MalyshevTue, 22 Dec 2015 06:22:09 +0000
    • Yasuo OhgakiTue, 22 Dec 2015 09:11:39 +0000
  • Yasuo OhgakiTue, 05 Jan 2016 01:21:16 +0000Re: [RFC Discussion] Precise Session Management
    • Dan AckroydThu, 07 Jan 2016 15:54:16 +0000Re: Re: [RFC Discussion] Precise Session Management
      • Yasuo OhgakiFri, 08 Jan 2016 01:28:31 +0000
  • Yasuo OhgakiFri, 22 Jan 2016 01:19:36 +0000Re: [RFC Discussion] Precise Session Management
    • Yasuo OhgakiFri, 22 Jan 2016 01:32:53 +0000
      • Yasuo OhgakiTue, 26 Jan 2016 02:22:19 +0000
        • Yasuo OhgakiTue, 26 Jan 2016 07:01:55 +0000
          • Yasuo OhgakiTue, 26 Jan 2016 07:16:41 +0000
          • Yasuo OhgakiTue, 26 Jan 2016 07:37:21 +0000
          • Stanislav MalyshevTue, 26 Jan 2016 08:15:50 +0000Re: Re: [RFC Discussion] Precise Session Management
            • Yasuo OhgakiTue, 26 Jan 2016 09:29:02 +0000
              • Stanislav MalyshevWed, 27 Jan 2016 00:16:07 +0000
                • Yasuo OhgakiWed, 27 Jan 2016 01:18:20 +0000
                  • Stanislav MalyshevWed, 27 Jan 2016 01:22:45 +0000
                    • Yasuo OhgakiWed, 27 Jan 2016 01:30:13 +0000
        • Stanislav MalyshevTue, 26 Jan 2016 08:01:07 +0000Re: Re: [RFC Discussion] Precise Session Management
          • Yasuo OhgakiTue, 26 Jan 2016 10:28:13 +0000
            • Yasuo OhgakiTue, 26 Jan 2016 12:17:27 +0000
              • Dan AckroydTue, 26 Jan 2016 15:05:46 +0000
                • Yasuo OhgakiTue, 26 Jan 2016 22:14:59 +0000
              • Stanislav MalyshevTue, 26 Jan 2016 23:49:58 +0000
                • Yasuo OhgakiWed, 27 Jan 2016 00:21:58 +0000
                  • Stanislav MalyshevWed, 27 Jan 2016 01:25:57 +0000
                    • Yasuo OhgakiWed, 27 Jan 2016 02:02:10 +0000
                      • Yasuo OhgakiWed, 27 Jan 2016 02:04:46 +0000
            • Stanislav MalyshevWed, 27 Jan 2016 00:12:26 +0000
              • Yasuo OhgakiWed, 27 Jan 2016 01:07:18 +0000
  • Yasuo OhgakiSat, 30 Jan 2016 10:37:33 +0000Re: [RFC Discussion] Precise Session Management
    • Stanislav MalyshevSun, 31 Jan 2016 23:44:56 +0000Re: Re: [RFC Discussion] Precise Session Management
      • Yasuo OhgakiMon, 01 Feb 2016 02:17:48 +0000