On 5/29/07, Stut <stuttle@xxxxxxxxx> wrote:
What utter crud. An SSL connection encrypts the whole HTTP conversation, including headers and even the URL you are requesting. The response is also encrypted. It doesn't matter whether you're doing a POST or a GET request, it's all encrypted.
The URL string is encrypted in HTTPS? Well, I was certainly under a different impression (same with headers). Since I can't say I know any better beyond a shadow of a doubt, I'll take your word for it. : ) Cookies are no more secure than the session ID. The general conclusion
from many years of discussion in the web community is that the user experience is diminished so much by not trusting a session ID that the security improvements are not justified.
So by storing sensitive information in a SESSION, you're safer? Only if the session doesn't get read... I don't know, I guess in the security sense, it should be seen as a part of the "conversation" as you put it, so if you can't trust SESSION, you probably shouldn't use it at all for secure applications. I still don't see the sense in storing sensitive information in a session, at least one that persists; if it is passed to a temp table in a database and destroyed across calls, I can see that as a better solution, as long as you have a strong database security configuration. If you're really concerned then your best bet is to reduce the session
lifetime to 5-10 minutes. Another 'trick' people sometimes use is to store the user agent in the session and expire it if a request tries to use an existing session with a different user agent. Unfortunately you cannot rely on the IP address remaining the same throughout a session, so don't build that into your session validation.
Well, if you use COOKIES, you can pass a secondary hash key that can be used to validate the actual key against a footprint for a visitor (from $_SERVER). Salt in a date/timestamp and SHA1 or other, and I feel like that's a pretty good way to check against a visitor. I just think it feels flimsy to validate a user on a SESSION key only. -- Jared Farrish Intermediate Web Developer Denton, Tx Abraham Maslow: "If the only tool you have is a hammer, you tend to see every problem as a nail." $$ -- Jared Farrish Intermediate Web Developer Denton, Tx Abraham Maslow: "If the only tool you have is a hammer, you tend to see every problem as a nail." $$
