On Mon, May 28, 2007 6:46 pm, Davis Chan wrote: > Hi! I am developing a site with some authenticated users only > features. > I would like to know if the following is true: > > 1. script for login process is located on a SSL-enabled server, so > usernames and passwords are encrypted. > 2. upon successful login, user is relocated to a non-SSL-enabled > server > which hosts the scripts that contain the authenticated-user-only > features. > > So, while usernames and passwords are protected by SSL, the PHPSESSID > is > not. In other words, anyone who captures that HTTP GET packet can get > the session ID. Is that true? True. > Another question is while that session ID is valid only before an > unset() and a session_destroy(). So the attacker who has the session > ID > must fake the session before the real user logout. Is that true? Define 'logout'... Website visitors rarely 'logout' -- They just close the browser, or not, and walk away. If it's their bank account they MIGHT take the time/effort to logout, but if there's no loss to them for somebody else to "borrow" their account, they won't feel a pressing need to logout. I would recommend that you just leave the authenticated stuff in SSL the whole way through. -- Some people have a "gift" link here. Know what I want? I want you to buy a CD from some indie artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
