Re: a question on session ID and security
- From: farrishj@xxxxxxxxx ("Jared Farrish")
- Date: Tue, 29 May 2007 07:25:41 -0500
On 5/29/07, Stut <stuttle@xxxxxxxxx> wrote:
What utter crud. An SSL connection encrypts the whole HTTP conversation,
including headers and even the URL you are requesting. The response is
also encrypted. It doesn't matter whether you're doing a POST or a GET
request, it's all encrypted.
The URL string is encrypted in HTTPS? Well, I was certainly under a
different impression (same with headers). Since I can't say I know any
better beyond a shadow of a doubt, I'll take your word for it. : )
Cookies are no more secure than the session ID. The general conclusion
from many years of discussion in the web community is that the user
experience is diminished so much by not trusting a session ID that the
security improvements are not justified.
So by storing sensitive information in a SESSION, you're safer? Only if the
session doesn't get read... I don't know, I guess in the security sense, it
should be seen as a part of the "conversation" as you put it, so if you
can't trust SESSION, you probably shouldn't use it at all for secure
applications. I still don't see the sense in storing sensitive information
in a session, at least one that persists; if it is passed to a temp table in
a database and destroyed across calls, I can see that as a better solution,
as long as you have a strong database security configuration.
If you're really concerned then your best bet is to reduce the session
lifetime to 5-10 minutes. Another 'trick' people sometimes use is to
store the user agent in the session and expire it if a request tries to
use an existing session with a different user agent. Unfortunately you
cannot rely on the IP address remaining the same throughout a session,
so don't build that into your session validation.
Well, if you use COOKIES, you can pass a secondary hash key that can be used
to validate the actual key against a footprint for a visitor (from
$_SERVER). Salt in a date/timestamp and SHA1 or other, and I feel like
that's a pretty good way to check against a visitor. I just think it feels
flimsy to validate a user on a SESSION key only.
--
Jared Farrish
Intermediate Web Developer
Denton, Tx
Abraham Maslow: "If the only tool you have is a hammer, you tend to see
every problem as a nail." $$
--
Jared Farrish
Intermediate Web Developer
Denton, Tx
Abraham Maslow: "If the only tool you have is a hammer, you tend to see
every problem as a nail." $$
- Follow-Ups:
- References:
- Re: a question on session ID and security
- From: "Jared Farrish"
- Re: [PHP] Re: a question on session ID and security
- From: Stut
- Re: a question on session ID and security
- Prev by Date: Re: [PHP] Streaming download to IE doesn't work
- Next by Date: Re: [PHP] Re: Tipos about which CMS use
- Previous by thread: Re: [PHP] Re: a question on session ID and security
- Next by thread: Re: [PHP] Re: a question on session ID and security
- Index(es):
Relevant Pages
|
|
