On Tue, Jan 27, 2009 at 1:49 PM, Matt McCutchen <matt@xxxxxxxxxxxxxxxxx> wrote: > On Tue, 2009-01-27 at 18:35 +0000, Nick Kew wrote: >> On Tue, 27 Jan 2009 10:02:58 -0500 >> Brian Mearns <mearns.b@xxxxxxxxx> wrote: >> >> > . So basically what I'm coming >> > to is that session's aren't completely insecure unless over HTTPS? >> >> Well, you can send a session token. >> >> With HTTP Digest Authentication, it's secure. > > The session token may be secure, but that's useless without integrity > protection of request bodies. If you want real security, use HTTPS. I'm not concerned right now with security of content, I'm concerned with someone highjacking another person's session. I send a session token, and the client sends it back, either in cookie data or in the URL. Either way, it's plain text on the net, so anyone can just grab it and send it to my server, which won't have anyway of knowing if it's the original session creator or not. It's not clear to me how HTTP auth would help? Thanks, -Brian -- Feel free to contact me using PGP Encryption: Key Id: 0x3AA70848 Available from: http://pgp.mit.edu/ --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|