[nycphp-talk] Session Thoughts
Chris Shiflett
shiflett at php.net
Fri Oct 31 16:10:41 EST 2003
--- felix zaslavskiy <felix at students.poly.edu> wrote:
> I was not born under a rock and I can point to good example of
> Fortune 100 companies totaly screwing up security in web
> application. The Microsofts Hotmail password change feature comes
> to mind.
I have never, and likely will never, point to Microsoft as an example
to follow for software development, security-related or otherwise. I,
too, was not born under a rock.
Someone mentioned observing phpBB for security-related strategies,
and I pointed out the dangers in such and gave Yahoo and Amazon as
alternatives. Your argument is that using SSL and asking for a
password is all that these entities do, so it seems you think such
observations are useless. I strongly disagree.
> I happen to be an amazon customer and I looked up the cookies they
> left on my machine. There is 6 cookies 5 of which are id's and one
> that has sort of redirect url. They dont disguise the meanings of
> the cookie values for example one of 'order_cache_primed' and
> another is 'sessionid'. I entered a restricted function like change
> billing and i noticed that my session id has not changed from since
> before.
Take those cookies, recreate them at a friend's house (within 10
minutes if you like), and see if your friend gets access to your
account as a result.
Let me know how that goes, and then tell me if it was SSL or asking
for your password that prevented this.
Chris
=====
My Blog
http://shiflett.org/
HTTP Developer's Handbook
http://httphandbook.org/
RAMP Training Courses
http://www.nyphp.org/ramp
More information about the talk
mailing list