You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In SESSION-VERIFY, if the request contains the wrong session-string, the identified session is removed from the acceptor. As is noted in the comment, this means that the true owner of the session will have to re-establish the session (i.e. log in again),
While the most likely cause for the "fake session id" is a changed user-agent (version) or remote IP address, a malicious attacker could very easily remove all the server's sessions by generating easily predictable IDs and passing in fake session strings for each ID. This would be an effective DoS attack requiring almost no effort or resources.
Can the call to REMOVE-SESSION from within SESSION-VERIFY be either removed or at the very least be made into an option?
Also, I'd suggest changing the default value of USE-USER-AGENT-FOR-SESSIONS to NIL, since this can invalidate a session even just by a minor version update to the user agent.
The text was updated successfully, but these errors were encountered:
In SESSION-VERIFY, if the request contains the wrong session-string, the identified session is removed from the acceptor. As is noted in the comment, this means that the true owner of the session will have to re-establish the session (i.e. log in again),
While the most likely cause for the "fake session id" is a changed user-agent (version) or remote IP address, a malicious attacker could very easily remove all the server's sessions by generating easily predictable IDs and passing in fake session strings for each ID. This would be an effective DoS attack requiring almost no effort or resources.
Can the call to REMOVE-SESSION from within SESSION-VERIFY be either removed or at the very least be made into an option?
Also, I'd suggest changing the default value of USE-USER-AGENT-FOR-SESSIONS to NIL, since this can invalidate a session even just by a minor version update to the user agent.
The text was updated successfully, but these errors were encountered: