06/05/2012 01:09 PMPosted by MashiIt's always funny when these "IT professionals" just know session spoofing is happening even when we KNOW for a fact that NO account with a physical or mobile authenticator has been compromised. The authenticator is another part of the authentication process and has NOTHING do with the session itself, so if session spoofing like the OP describes is happening an authenticator wouldn't provide any protection at all. Doh!
Got proof? Of course not. And authenticators are indeed part of the session. You can't create a session without passing an authenticator check.
Otherwise, how would you be able to ah...login?
LOL. Keep digging that hole. Once you authenticate the session is created. You don't keep authenticating over and over. If you could session spoof the fact that an authenticator was used during the authentication process is now irrelevant because you'd be stealing the session and bypassing the authentication process altogether. It's funny when people don't even understand basic security principles try to talk like they do.