First off, thank you very much for taking the time to read the paper. I really do appreciate your input. My friends and I talked a lot about what you mentioned above, and we all came to different conclusions as to what responsibility Facebook has. Personally, I don't think that all RPC-based web services are doomed for failure just because they do transmit cookie information via the HTTP header without using some level of encryption throughout their site. I believe that if web services just give up immediately and say, "oh, its not our fault, thats the way everyone does it!", then they are not focusing on securing their app. In my paper, I mentioned a technique to add additional layers of security to prevent such an attack. The first idea is to store some type of unique identifier when the session is first spawned, so the server has a better clue as to who the user is. By doing this, the server will be more "intelligent", and base access on more variables than just a session key.

Any idea as to why sessions were not being destroyed? I noticed this when I was using a friend’s cookie credentials to take on his identity (of course he was in the room with me and we were both okay with what I was doing). I told him to log out, and noticed that even after he was logged out, I still had full access to the site! Is this just poor practice or is it justifiable? I tried the attack again before my final presentation, and noticed that Facebook had fixed the problem so I assume they want sessions destroyed when a user logs out…

I personally dont think that an antionline account has as much to loose as a regular Facebook account does. Most Facebook users spend a TON of time on the site, and have private messages that they really want to keep private. I have not investigated the way gmail and other sites handle cookies and sessions (or if they take a RESTful approach to login), so I do not have the authority to make any claims. Has anyone been able to gain access to a gmail or yahoo account by performing some type of simple session stealing attack?

Thanks again for reading! I know its long...