[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[OAUTH-WG] WRAP session fixation?

From: Brian Eaton <beaton at google.com>
To: Mike Malone <mjmalone at gmail.com>
Cc: Naitik Shah <naitik at facebook.com>, Luke Shepard <lshepard at facebook.com>, Brent Goldman <brent at facebook.com>, "oauth at ietf.org" <oauth at ietf.org>
Date: Tue, 24 Nov 2009 17:28:41 -0800

On Tue, Nov 24, 2009 at 4:35 PM, Mike Malone <mjmalone at gmail.com> wrote:
> One final note - unless I'm missing something WRAP is vulnerable to
> the same session fixation attack that OAuth 1.0 had... unless it's
> requiring callback registration, which is a really lame solution to
> that problem.

Callback registration is not required to prevent session fixation.
Check out the requirements in section 5.4.6 "Successful Access Token
Response From Authorization Server."  They are (supposed to) be
sufficient to prevent the attack.

Cheers,
Brian

Follow-Ups:
- Re: [OAUTH-WG] WRAP session fixation?
  - From: Michael Malone

Prev by Date: Re: [OAUTH-WG] Facebook, OAuth, and WRAP
Next by Date: Re: [OAUTH-WG] WRAP session fixation?
Previous by thread: [OAUTH-WG] Facebook, OAuth, and WRAP
Next by thread: Re: [OAUTH-WG] WRAP session fixation?
Index(es):
- Date
- Thread

Note Well: Messages sent to this mailing list are the opinions of the senders and do not imply endorsement by the IETF.