Re: [http-state] Welcome to http-state

"Blake Frantz" <> Tue, 13 January 2009 16:14 UTC

Return-Path: <>
Received: from [] (localhost []) by (Postfix) with ESMTP id 1686D3A6956; Tue, 13 Jan 2009 08:14:47 -0800 (PST)
Received: from localhost (localhost []) by (Postfix) with ESMTP id 8B19D3A6944 for <>; Tue, 13 Jan 2009 08:14:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id qBqReODb-etC for <>; Tue, 13 Jan 2009 08:14:42 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id ACA343A6877 for <>; Tue, 13 Jan 2009 08:14:40 -0800 (PST)
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Date: Tue, 13 Jan 2009 11:14:09 -0500
Message-ID: <120206B6A348CA498C70E738A2E963514C0CE6@Nexus.cisecurity.lan>
In-Reply-To: <>
Thread-Topic: [http-state] Welcome to http-state
Thread-Index: Acl1GglEUjpj+SqfQ+CCH/VTUHHeFgAAXGug
References: <><120206B6A348CA498C70E738A2E963514C0CCC@Nexus.cisecurity.lan><><120206B6A348CA498C70E738A2E963514C0CD2@Nexus.cisecurity.lan><><120206B6A348CA498C70E738A2E963514C0CD5@Nexus.cisecurity.lan><><120206B6A348CA498C70E738A2E963514C0CDB@Nexus.cisecurity.lan> <>
From: Blake Frantz <>
To: Discuss HTTP State Management Mechanism <>
Subject: Re: [http-state] Welcome to http-state
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: Discuss HTTP State Management Mechanism <>
List-Id: Discuss HTTP State Management Mechanism <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit

> I don't understand what you mean by "actively asserts."  My point is
> that a browser cannot do this with the current headers without a
> unbounded amount of storage.

When the user agent sends a Content-Integrity header it is actively
asserting the cookie's integrity level. Regarding storage, we've gone
full circle on this one. I'm thinking our time might be better served if
we spent 15 mins on the phone to talk this through. That, or shoot me
additional information on the storage-based implications you are
referring to. I would appreciate the education. If you have some time to
discuss this, give me a call any time at (206) 384 3023 or shoot me your
number and a good time to call you.

> How would you know if you've encountered instance of this pattern?  

I would have hopefully logged an improper session termination bug
against one of the sites I had performed security testing on. If the
logout handler operates over HTTP and the session ID is stuffed in a
Secure cookie then the logout handler would have no idea which session
it should terminate because it would not have access to the session ID.
This would result in a lingering session. I don't recall writing about
an improper session termination bug that was manifest due to the logout
handler being exposed over HTTP vice HTTPS. Again, my experience does
not mean this pattern isn't implemented all over the place.

http-state mailing list