January 4th, 2003, 09:09 PM
Http Session security
I am a making a website witch uses sessions. When someone logs in the following happens:
1. A random session id is generated and placed in the cookie
2. The session id is also placed in a database alogn with the ip of the user the username of the user and the time the time this session was created
Now this is what happens on every page that needs loggin in:
1. The session id in the cookie is checked to match the sessionid in the database and the ip of the user is checked to match the ip in the database. if any dont match the user is asked to login.
is this secure? how can i make it more secure? i know that if the user is on an insecure ethernet lan his session can get highjacked. How can i fix this?
Thank you all
January 5th, 2003, 10:05 AM
January 5th, 2003, 01:16 PM
I think using https does a lot of the work for you in securing your connection...
and don't forget a timeout (for cybercafe's and other multi-user situations like schools etc..)
ASCII stupid question, get a stupid ANSI.
When in Russia, pet a PETSCII.
Get your ass over to SLAYRadio
the best station for C64 Remixes !
January 5th, 2003, 02:52 PM
1. Some users change IP during a session. This includes some AOL users to the best of my knowledge. Whilst you might not like AOL users, unfortunately they make up a rather large proportion of the internet (Sadly, even in countries which don't start with the letter A)
These users would fail your session system.
This is a classic attack against web applications and hotmail, etc have historically been vulnerable to it. Clearly depending on the nature of the application, you may be fairly safe.
3. If you use HTTPS, ensure it's used for all pages which require authentication and make sure the "secure" attribute is set on the cookie. This will tell the browser never to send the cookie over a plain HTTP link (but doesn't protect against cross-site scripting)
I would also recommend using either HTTP basic authentication over HTTPS, or client certificates instead. The former is easy to set up and not vulnerable to cross-site scripting, the latter is extremely secure (but has a big overhead on setup and requires the clients to have certificates)
January 5th, 2003, 04:59 PM
Wow, very helpful slarty. thanks
anyone know how hotmail or yahoo maintain sessions?