LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Gathering session cookies with Firesheep

Gathering session cookies with Firesheep

Posted Nov 4, 2010 9:51 UTC (Thu) by oseemann (subscriber, #6687)
In reply to: Gathering session cookies with Firesheep by JohnLenz
Parent article: Gathering session cookies with Firesheep

This approach would be problematic with concurrent requests.

I.e. when static file requests, ajax requests or multiple requests in separate tabs all use the same sequence number, only the first one would succeed, all other would fail, due to the sequence number already being used. For each request the browser would have to wait for the next sequence number + hash to arrive before starting the next request. That's just not feasible.

Accepting a list/range of sequence numbers or giving each one a specific validity period (i.e. 10s) could remedy that problem, but would also open the window for attackers again.

Granted, static files may be excluded from the requirement, but with the ubiquity of ajax these days and users' habit of opening several links in background tabs, this is not an acceptable workaround.

(Log in to post comments)

Gathering session cookies with Firesheep

Posted Nov 5, 2010 4:01 UTC (Fri) by jzbiciak (✭ supporter ✭, #5246) [Link]

Then perhaps don't require cookies to get static pages, and only use them for the dynamic ones?

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds