Re: server question

From: Chung Leong (chernyshevsky_at_hotmail.com)
Date: 07/17/04

• Next message: pjm_at_see_my_sig_for_address.com: "Re: Open Source Business Plan For Open Source DRM & CMS: 22surf.org--download for free!!"
• Previous message: 22surf: "Open Source Business Plan For Open Source DRM & CMS: 22surf.org--download for free!!"
• In reply to: Marcus: "Re: server question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

---

Date: Sat, 17 Jul 2004 00:51:22 -0400

"Marcus" <JumpMan222@aol.com> wrote in message
news:f%YJc.37499$eH1.17959389@newssvr28.news.prodigy.com...
> Tim Van Wassenhove wrote:
>
> > What do you want to make more secure?
> > The part where the user logs in, or also the data transmitted with each
> > page request?
> >
> > Almost every *large* site i know uses https to handle the submitted
> > values when a user logs in. And after that uses http to show the pages.
> >
>
> Tim:
>
> From my understanding, if someone simply listens over the network and
> steals a session, he/she then has full access to that user's
> information. Since I am using session var's to keep track of things,
> would using https first and then http be vulnerable?

Here're some numbers I found on the web:

"In our tests of the two and four Xeon DP processors, we achieved 32 SSL
transaction/sec with two processors, and 54 SSL transaction/sec with four
processors. In the tests with two, four, six and eight Xeon MP processors,
we achieved SSL rates of 16, 35, 50 and 70 transactions per second,
respectively. The DP performance is slightly higher than the MP performance
because the DP processors run at 2.4GHz and the MP processors run at
1.6GHz."

Large commercial sites typically use hardware SSL accelerators to augment
the web server.

You're right about the session id yielding full access to the system. If you
store the session id in a secure cookie, then it wouldn't be sent when the
browser is communicating in HTTP.

---

• Next message: pjm_at_see_my_sig_for_address.com: "Re: Open Source Business Plan For Open Source DRM & CMS: 22surf.org--download for free!!"
• Previous message: 22surf: "Open Source Business Plan For Open Source DRM & CMS: 22surf.org--download for free!!"
• In reply to: Marcus: "Re: server question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

---

Relevant Pages Re: Reality Check: Session Hijacking ... I'm not putting hidden fields in http ... The user is always challenged when he starts to use a secure app, ... STARTS to use the secure app. ... And NOT from the session. ... (comp.lang.php) Re: Is it possible at all to secure an unencrypted website? ... many other pages without sensitive content are not, which makes sense (secure ... where someone could intercept it ... the secure and unsecure parts used different ASP Session IDs. ... On the other hand, wouldn't any unencrypted (using http, not https) ... (microsoft.public.dotnet.framework.aspnet.security) Re: server question ... The part where the user logs in, ... And after that uses http to show the pages. ... Since I am using session var's to keep track of things, ... I thought the secure mode during login was only used to ... (comp.lang.php) Re: Client-Side Session Data ... cookie, but from then, it's OK to use HTTP? ... You could make this slightly more secure by associating an IP address with ... the session, and ending the session if the user's IP address changes, ... AOL that sit their customers behind a large pool of proxy servers. ... (comp.lang.php) Re: server question ... Tim Van Wassenhove wrote: ... > values when a user logs in. ... And after that uses http to show the pages. ... Since I am using session var's to keep track of things, ... (comp.lang.php)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

coding.derkeiler.com  > Archive  > PHP  > comp.lang.php  > 2004-07