Thursday, June 25, 2009
SANSlinks to this post (0) comments
If the attacker can fixate, hijack, or steal a Session from the victim, this type of attack will succeed no matter if the web site uses Forms Authentication, Windows Authentication, Client Certificates, etc. It doesn’t matter. As long as the attacker also has an account in the system as well as the victim’s Session ID, they can take over the session…that is unless the developer adds some additional checks
. . .
Once you couple session and the authentication mechanism together and than configure Forms authentication properly, you can provide adequate session protection. Another important point - don’t use Session anywhere outside of the authenticated areas of your site.
Friday, June 12, 2009
MSDNlinks to this post (0) comments
But whereas the phrase “data-driven” implies the use of data as the driving mechanism, a model-driven application is one in which the data is exposed and consumed as models, highly structured, interoperable data. Furthermore, while we often described the use to which data is put with the words “application state” data or “metadata,” in truth data is data. Application and state data (as well as metadata about both that application and its state data) can be equally stored, queried, and often executed by runtimes.