|
|
|
|  |
 | a question on session ID and security |  |  |  |
 |
(#1)
|
| Guest Posts: n/a |  a question on session ID and security -
06-02-2007, 08:55 PM
Hi! I am developing a site with some authenticated users only features. I would like to know if the following is true: 1. script for login process is located on a SSL-enabled server, so usernames and p***words are encrypted. 2. upon successful login, user is relocated to a non-SSL-enabled server which hosts the scripts that contain the authenticated-user-only features. So, while usernames and p***words are protected by SSL, the PHPSESSID is not. In other words, anyone who captures that HTTP GET packet can get the session ID. Is that true? Another question is while that session ID is valid only before an unset() and a session_destroy(). So the attacker who has the session ID must fake the session before the real user logout. Is that true? Thanks in advance for any help offered. |
| |      |
 |  |  |
| |
| Re: [PHP] a question on session ID and security | | | |
| |
(#2)
|
| Guest Posts: n/a | Re: [PHP] a question on session ID and security -
06-02-2007, 08:56 PM
On Mon, May 28, 2007 6:46 pm, Davis Chan wrote: > Hi! I am developing a site with some authenticated users only > features. > I would like to know if the following is true: > > 1. script for login process is located on a SSL-enabled server, so > usernames and p***words are encrypted. > 2. upon successful login, user is relocated to a non-SSL-enabled > server > which hosts the scripts that contain the authenticated-user-only > features. > > So, while usernames and p***words are protected by SSL, the PHPSESSID > is > not. In other words, anyone who captures that HTTP GET packet can get > the session ID. Is that true? True. > Another question is while that session ID is valid only before an > unset() and a session_destroy(). So the attacker who has the session > ID > must fake the session before the real user logout. Is that true? Define 'logout'... Website visitors rarely 'logout' -- They just close the browser, or not, and walk away. If it's their bank account they MIGHT take the time/effort to logout, but if there's no loss to them for somebody else to "borrow" their account, they won't feel a pressing need to logout. I would recommend that you just leave the authenticated stuff in SSL the whole way through. -- Some people have a "gift" link here. Know what I want? I want you to buy a CD from some indie artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? |
| | |
| | |
 |
« Previous Thread
|
Next Thread »
| Thread Tools | |
| Display Modes | |
Linear Mode
| |
