[nycphp-talk] sessions and application security
charlie derr
cderr at simons-rock.edu
Tue Jan 27 13:40:21 EST 2004
Mitch Pirtle wrote:
> charlie derr wrote:
>
>> One thing that occurs to me (which certainly wasn't implied in the
>> original question,
>> so I'm asking about this as a totally separate issue that was just
>> "jogged" into the
>> forefront of my mind by this highly illuminative post) is the following:
>>
>> If the entire transaction (both authentication and all content served)
>> was done via https,
>> then it really wouldn't be a security problem to use this model you
>> scoff at (session data
>> in the url), right?
>
>
> Nope, unfortunately your session data will be in the URL, which goes
> over in cleartext (think about HTTP_REFERER and such).
>
good point! i completely missed that one.
just to be pedantic (well, and to understand more completely
what's happening), if a person were to take this approach
and make sure there were no links anywhere within the authenticated
content to an outside page (only links to other authenticated
pages and a "logout" page which would obviously remove
the session information from the (next) url), then this would
take care of that concern wouldn't it?
or maybe there's a more insidious problem of some headers of an
https session being sent cleartext (if this is the case I certainly
wasn't aware of it previously)
thanks again,
~c
More information about the talk
mailing list