> -----Original Message-----
> From: Christopher Ostmo [mailto:[EMAIL PROTECTED]]
>
> Ian Bagley pressed the little lettered thingies in this order...
>
> > One thing which would prevent hijacks from simply guessing SIDS
> would be to
> > add an md5 hash to the end of a url....
> >
[snip]
> >
> > Ian
>
> This thread isn't about "guessing" a session ID, it's about "stealing" a
> session ID. The same asnwer applies to your response as to the
> original question.
>
> There was a thread about this just a few days ago, but the answer for
> *most* applications is an astounding, "NO." Unless you are running the
> entire transaction through SSL, any packet sniffer on the network can
> view, steal and use ANYTHING you send over the netowrk (including the
> value of a session ID that is being sent as a cookie value, the username
> and password for a telnet session, the username and password for an
> FTP session, etc). Packet sniffers are incredibly easy to find, get and
> use (even for "script kiddies"). If your session data is *that*
> vital, you
> should consider using SSL.
>
> This is likely to be true as long as HTTP transmissions are stateless.
>
> Christopher Ostmo
Indeed, SSL is the only way to properly protect from 'stealing' a SID, but still, the
MD5 solution does tend to protect the integrity of the query string. The other day I
was using a SSL connection to a web site which was passing an insurance premium from
one page to another and guess what? yep! I could change the premium to just 1 pence!
and it was quite happy to take me through to the credit card transaction site and
prepere to bill me for 1p! Needless to say I didn't transact! And I won't mention the
URL! I guess this is more like session sado-masachism than hijacking?
Ian
