Re: [PHP] Re: a question on session ID and security

On Tue, May 29, 2007 10:36 am, Jared Farrish wrote:
But the point here is that both pieces of information required to
authenticate that client are stored on the client. If someone can
get
one of them they can get the other, so it's no more secure than just
accepting the one cookie without bothering to authenticate it in any
way.

The token isn't any more secure than tokenizing a user agent and
salting it
into a digest. The client still knows what their user agent string
says, and
this string can also be guessed (how random can they be?), but at
least you
can manipulate a secondary hash key per day/hour, week, whatever.

The token is LESS secure, because it's obvious what you are doing --
You are sending out a clear red flag to a Bad Guy that they need this
extra token to get back in.

If they can get the first cookie, they can get the second just as easily.

You've added zero extra security.

--
Some people have a "gift" link here.
Know what I want?
I want you to buy a CD from some indie artist.
http://cdbaby.com/browse/from/lynch
Yeah, I get a buck. So?
.

Relevant Pages

  • Re: WSE 3.0 + UserNameToken without X.509 Cert/Kerberos + Signing + Encryption How?
    ... I still think that there is a lot of benefit for Secure Conversation ... message security and thefore it does not encrypt the message. ... between client and server using a UserNameToken that passes the UserName ... assuming the client request adds a proper UserNameToken... ...
    (microsoft.public.dotnet.framework.webservices.enhancements)
  • Re: Wireless Pen Test
    ... Yes there are many tools that look just for the 802.11 frames but what ... is just brute forcing the hashed output to recover the key. ... Also if your telling a client that using WPApsk is secure then you ...
    (Pen-Test)
  • Re: WSE 3.0 + UserNameToken without X.509 Cert/Kerberos + Signing + Encryption How?
    ... If you want to support Secure Conversation in your custom assertion, ... your assertion will automatically support Secure conversation. ... message security and thefore it does not encrypt the message. ... between client and server using a UserNameToken that passes the UserName ...
    (microsoft.public.dotnet.framework.webservices.enhancements)
  • Re: Wireless Pen Test
    ... err quick correction "So if they are using EAP-PEAP then the username ... They should be implementing EAP-TLS with client certs or EAP-TTLS so ... is just brute forcing the hashed output to recover the key. ... Also if your telling a client that using WPApsk is secure then you ...
    (Pen-Test)
  • Re: NT4 -> Win2K3 question
    ... Did you set the DNS settings on the client properly? ... Get Secure! ... I logon locally, use nbtstat -c, it shows correctly. ... We have total 50 PCs most of them are Windows NT Workstation ...
    (microsoft.public.windows.server.migration)