Fwd: [PHP] Re: a question on session ID and security
- From: farrishj@xxxxxxxxx ("Jared Farrish")
- Date: Tue, 29 May 2007 09:10:05 -0500
On 5/29/07, Stut <stuttle@xxxxxxxxx> wrote:
Don't get me wrong, I don't want to discourage anyone from thinking
about ways to improve it, but personally I consider this issue done to
death.
Well, I think the difference is that you send one key (a session identifier)
and hash on user agent report, while I send an authentication key and a
secondary hash key stored in cookies. I'm sending only nominally more
information than you are, so I don't think there's THAT much difference
between what we're saying here. As a lot of users would store session id's
as cookies, and fall back to a query string id, like I said, I don't see
much of a difference in our approaches, except you don't seem to think mine
is acceptable since it's not a "session" id.
If you supply the salt (instead of relying on it being provided, vis a vis,
user agent report), and store that in a cookie on the client, and then that
client can't reproduce an accurate, unchanged version of that cookie, what
change in either the salt and/or the auth id would make this approach
unacceptable (and not break the authentication)? I see major web firms use
cookies all the time, so I'm not sure why there is a bias against cookies,
besides a user that doesn't support cookies in the first place (which is a
real concern, I admit).
I remember a poster on a wall of a tech dept my friend worked for that had a
faux-advert for a "security dongle" for a computer. Essentially, it was a
rubber stopper that was put on a power cable that provided a "100% secure
air gap."
Whether it's been settled or not, I'm not nearly as played out on discussing
it (especially if I'm not getting aspects correct) as I am about browser
bickering, OS wars, and all the other "dispassionate" discourse currently
"enlightening" the internet. At least with security, there's some known
benefit to discussing it!
--
Jared Farrish
Intermediate Web Developer
Denton, Tx
Abraham Maslow: "If the only tool you have is a hammer, you tend to see
every problem as a nail." $$
--
Jared Farrish
Intermediate Web Developer
Denton, Tx
Abraham Maslow: "If the only tool you have is a hammer, you tend to see
every problem as a nail." $$
- Follow-Ups:
- Re: [PHP] Re: a question on session ID and security
- From: "Jared Farrish"
- Re: Fwd: [PHP] Re: a question on session ID and security
- From: Stut
- Re: [PHP] Re: a question on session ID and security
- References:
- Re: a question on session ID and security
- From: "Jared Farrish"
- Re: [PHP] Re: a question on session ID and security
- From: Stut
- Re: a question on session ID and security
- From: "Jared Farrish"
- Re: [PHP] Re: a question on session ID and security
- From: Stut
- Re: [PHP] Re: a question on session ID and security
- From: "Jared Farrish"
- Re: [PHP] Re: a question on session ID and security
- From: Stut
- Re: a question on session ID and security
- Prev by Date: Re: [PHP] Re: a question on session ID and security
- Next by Date: Re: Fwd: [PHP] Re: a question on session ID and security
- Previous by thread: Re: [PHP] Re: a question on session ID and security
- Next by thread: Re: Fwd: [PHP] Re: a question on session ID and security
- Index(es):
Relevant Pages
|
