NYCPHP Meetup

NYPHP.org

[nycphp-talk] sessions and application security

charlie derr cderr at simons-rock.edu
Tue Jan 27 13:06:22 EST 2004 

Chris Shiflett wrote:

<snip lots of great stuff>


> 
> What is best for one person isn't necessarily best for another. The
> architect of any Web application is likely to be the most qualified person
> to be deciding on the best session solution. All you need is a little
> background information along with some suggestions and example solutions,
> and you're set.
> 
> Just don't let anyone who suggests passing session data back and forth
> across the Internet for every transaction be making decisions about
> session security. :-)


One thing that occurs to me (which certainly wasn't implied in the 
original question,
so I'm asking about this as a totally separate issue that was just 
"jogged" into the
forefront of my mind by this highly illuminative post) is the following:

If the entire transaction (both authentication and all content served) 
was done via https,
then it really wouldn't be a security problem to use this model you 
scoff at (session data
in the url), right?

I'm not asking because I have any intention of doing this (our 
authentication code is
backed by a database -- what travels over the internet is a cookie 
holding a randomly
generated session key), rather I'm asking the question to simplyfurther my
understanding.    I'm just wondering if I'm missing something in my 
analysis --
the way I see it, if the entire conversation is encrypted via https, 
then it's not a real problem
security-wise except for the one niggling issue of a public access 
machine being
used to access the system (someone could conceivaly sit down later and 
prise anything
that was in the url out of the browser history).

     thanks for your time,
         ~c

> 
> Hope that helps.
> 

it sure helped me :-]

> Chris
> 
> =====
> Chris Shiflett - http://shiflett.org/
> 
> PHP Security Handbook
>      Coming mid-2004
> HTTP Developer's Handbook
>      http://httphandbook.org/
> _______________________________________________
> talk mailing list
> talk at lists.nyphp.org
> http://lists.nyphp.org/mailman/listinfo/talk
> 
> 


-- 
This is not a democracy, it's a cheerocracy.
   -Torrance Shipman in _Bring it On_

More information about the talk mailing list