NYCPHP Meetup

[felix zaslavskiy]

> 1. You should not try to make assumptions about what Amazon is doing.
> Rather, you should research what they are doing and find out for
> certain. Making guesses does not help you in any way, and you are
> probably wrong when you do so.
> 
Well if i had all the time in the world maybe i can figure out exactly how it works on Amazon but i dont have that interest.


> 2. You now have expanded your list of security methods to using SSL,
> asking for a password, and this weird session cookie/hidden form
> thing you are trying to explain. I suggest to you that there are even
> more methods and techniques being employed. In fact, there are many
> more. Don't assume things are so simple until you understand what is
> going on.
> 
Ok I am not going to disagree here.
One can make a long list of security methods. Another is to ask oneself weather any of the methods actualy add anything usefull.
Of the top of my head i can list these:
a. Use rewerite rules to hide variable names(seems like security by obscurity)
b. Check Referer Headers
c. You even said this check User-Agent Header
d. My guess on how amazone does it by hidden fileds (they may not do it i had not seen any such fields that may suggest that)
e. Somone suggested use transaction id and basicaly a hidded filed that changes on every form submit.

This list can go on but all these methods fail to protect against someone sniffing the TCP/IP connection. If they can see all the HTTP messages they can with time figure out how to get around all these methods. 

This is why i stressed the importantce of SSL as being primery importanse. SSL provides authentication(only of server usually), integrity and confidentiality. Something that all those other HTTP tricks cant offer. I would consider not using SSL as playing with fire and asking to be hacked.

The asking for a password again that only is ment to protect someon walking away from computer when they go on the site or if somone else sits at their computer.