Difference between revisions of "Insufficient Session-ID Length"

From OWASP
Jump to: navigation, search
Line 2: Line 2:
  
 
==Description==
 
==Description==
 +
The session-ID is not long enough to prevent brute-force session ID guessing attacks. It should be at least 128-bit long.
  
 
==Examples ==
 
==Examples ==
  
 
==Related Threats==
 
==Related Threats==
 +
* Attackers that are try to obtain a valid session id for [[Session hijacking]].
  
 
==Related Attacks==
 
==Related Attacks==
 +
* [[Brute-force attack]]
  
 
==Related Vulnerabilities==
 
==Related Vulnerabilities==
 +
* [[Insufficient cryptographic key length]]
  
 
==Related Countermeasures==
 
==Related Countermeasures==

Revision as of 13:29, 29 June 2006

This is a Vulnerability. To view all vulnerabilities, please see the Vulnerability Category page.


Description

The session-ID is not long enough to prevent brute-force session ID guessing attacks. It should be at least 128-bit long.

Examples

Related Threats

Related Attacks

Related Vulnerabilities

Related Countermeasures

Category:Session Management

Categories

This article is a stub. You can help OWASP by expanding it or discussing it on its Talk page.