M
maynardr
Guest
Hi Looking at JSDO js library, I am trying to work out how the JSESSIONID is made. A security audit has asked us to prove that it can not be shared between sessions, either accidentally or maliciously. The JSDO seems to use math.random features, a timestamp, and some ascending sequence number in _getNextTimeStamp . Subsequent requests only get regenerated fully after a large number of requests. Is this correct? If the JSESSIONID is regenerated fully with each received request that is probably OK (and previous JSESSIONID invalidated). But if just based on the seq number with the original timestamp and random it may be spoofable (I haven't tried yet but am likely to be asked to). I am looking at around line 8950 and on in JSDO Ver 4.0
Continue reading...
Continue reading...