Hi Everyone-
I was reading a few posts about sessions and security, and it seems
that the best way to address sessions security is to require
authentication every time the user needs to get to sensitive data (or
protect the session data with SSL). In other words, assume that the
world can see your session data stored in cookies if you're not using
SSL. So, I started looking for exceptions to this rule of thumb
(requiring authentication for sensitive data, even if the user has
already logged in and has session data in a cookie), and I found one
on ebay. If you log on to ebay, and then go to your personal
information, and then try to edit, say, your credit card information,
you are asked to log in. However, if you check the check box that
says "keep me logged in for 1 day unless I log out" (or whatever), you
no longer have to log in to get to your credit card information. So
obviously, they have secured the session data without SSL (or https).
How is this accomplished? Is there an equivalent construct in PHP?
Thanks,
Dino
9  1577 
dino d. wrote:
Hi Everyone-
I was reading a few posts about sessions and security, and it seems
that the best way to address sessions security is to require
authentication every time the user needs to get to sensitive data (or
protect the session data with SSL). In other words, assume that the
world can see your session data stored in cookies if you're not using
SSL. So, I started looking for exceptions to this rule of thumb
(requiring authentication for sensitive data, even if the user has
already logged in and has session data in a cookie), and I found one
on ebay. If you log on to ebay, and then go to your personal
information, and then try to edit, say, your credit card information,
you are asked to log in. However, if you check the check box that
says "keep me logged in for 1 day unless I log out" (or whatever), you
no longer have to log in to get to your credit card information. So
obviously, they have secured the session data without SSL (or https).
How is this accomplished? Is there an equivalent construct in PHP?
Thanks,
Dino
Dino,
You don't "protect the session with SSL". You protect data being sent
between the browser and the server with SSL.
Yes, some of this data can be the session ID (via cookie or URL), and to
be perfectly secure the session ID should be sent over a secure connection.
But obviously EBay has decided this part is not required for their needs
- which is their choice.
--
=============== ===
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp. js*******@attgl obal.net
=============== ===
"dino d." <di*********@ya hoo.comwrote:
I was reading a few posts about sessions and security, and it seems
that the best way to address sessions security is to require
authentication every time the user needs to get to sensitive data (or
protect the session data with SSL). In other words, assume that the
world can see your session data stored in cookies if you're not using
SSL. So, I started looking for exceptions to this rule of thumb
(requiring authentication for sensitive data, even if the user has
already logged in and has session data in a cookie), and I found one
on ebay. If you log on to ebay, and then go to your personal
information, and then try to edit, say, your credit card information,
you are asked to log in. However, if you check the check box that
says "keep me logged in for 1 day unless I log out" (or whatever), you
no longer have to log in to get to your credit card information. So
obviously, they have secured the session data without SSL (or https).
How is this accomplished? Is there an equivalent construct in PHP?
This is not a feature of a specific language, but a property of
the HTTP protocol. Every cookie has several parameters you can
set, read carefully the description of the function setcookie() www.php.net/manual/en/function.setcookie.php
Between these parameters there are expire, path, domain and secure, so
that the cookies can be sent from the client to the server only on SLL,
or only on a well defined domain/path where the secure pages are located.
About the expire time: zero means "expire when the browser closes", 24*60*60
means "expire after a day". The check box you found just tell to the server
which value it will use.
Regards,
___
/_|_\ Umberto Salsi
\/_\/ www.icosaedro.it
On Mar 12, 7:46 pm, Umberto Salsi <s...@icosaedro .italiawrote:
"dino d." <dinodorr...@ya hoo.comwrote:
I was reading a few posts about sessions and security, and it seems
that the best way to address sessions security is to require
authentication every time the user needs to get to sensitive data (or
protect the session data with SSL). In other words, assume that the
world can see your session data stored in cookies if you're not using
SSL. So, I started looking for exceptions to this rule of thumb
(requiring authentication for sensitive data, even if the user has
already logged in and has session data in a cookie), and I found one
on ebay. If you log on to ebay, and then go to your personal
information, and then try to edit, say, your credit card information,
you are asked to log in. However, if you check the check box that
says "keep me logged in for 1 day unless I log out" (or whatever), you
no longer have to log in to get to your credit card information. So
obviously, they have secured the session data without SSL (or https).
How is this accomplished? Is there an equivalent construct in PHP?
This is not a feature of a specific language, but a property of
the HTTP protocol. Every cookie has several parameters you can
set, read carefully the description of the function setcookie()www.php.net/manual/en/function.setcookie.php
Between these parameters there are expire, path, domain and secure, so
that the cookies can be sent from the client to the server only on SLL,
or only on a well defined domain/path where the secure pages are located.
About the expire time: zero means "expire when the browser closes", 24*60*60
means "expire after a day". The check box you found just tell to the server
which value it will use.
Regards,
___
/_|_\ Umberto Salsi
\/_\/ www.icosaedro.it
The eBay example you gave isn't necessarily a security flaw, because
we have no idea what other methods they use to authenticate on top of
the data stored in the cookie(s). They might be tracking your IP
address or even the port number on your machine that's accessing
eBay's server -- data which you don't store remotely. If these don't
match they might ask you to re-authenticate.
>I was reading a few posts about sessions and security, and it seems
>that the best way to address sessions security is to require
authenticati on every time the user needs to get to sensitive data (or
protect the session data with SSL). In other words, assume that the
Having to put a password on every page view gets tedious, fast.
>world can see your session data stored in cookies if you're not using
Session data is not stored in cookies or anywhere on the browser.
Session identifiers are often stored in cookies. A session identifier
is sensitive while the session exists (due to possibility of sesson
hijacking) but it does not contain credit card numbers, etc. itself.
An expired session identifier is (on a properly designed site)
worthless.
>SSL. So, I started looking for exceptions to this rule of thumb
(requiring authentication for sensitive data, even if the user has
already logged in and has session data in a cookie), and I found one
on ebay. If you log on to ebay, and then go to your personal
information, and then try to edit, say, your credit card information,
you are asked to log in. However, if you check the check box that
says "keep me logged in for 1 day unless I log out" (or whatever), you
no longer have to log in to get to your credit card information. So
obviously, they have secured the session data without SSL (or https).
How is this accomplished? Is there an equivalent construct in PHP?
If you have an unexpired session, that session ID can be used to
access whatever information the site will let you do with it (for
example, order something and charge it to your saved credit card).
That's effectively what Ebay is letting you do by extending how
long your session lasts. Session expiration doesn't have to be a
fixed time.
Note: some sites have special rules for security:
1. If you change your password, you have to supply the old password
EVEN IF YOU ARE LOGGED IN. It's just too easy for someone to spot an
unattended computer, change the password, and own the account forever.
2. You cannot *EVER* look at the full credit card number being used,
(last 4 digits, maybe) although you can change it.
3. You may have to enter your password to view stored personal data,
if that's possible at all, EVEN IF YOU ARE LOGGED IN. Changing
personal data may be less sensitive than reading it.
address or even the port number on your machine that's accessing
eBay's server -- data which you don't store remotely. If these don't
match they might ask you to re-authenticate.
thanks for all the replies. let me ask a specific follow up- the
sequence of events goes like this:
a) user types their username and password into a browser, and clicks
submit over an SSL connection
b) user then is brought to a non-ssl connection, where they click
something like "edit password"
c) user is brought to a "change password" page, which is an SSL
connection
it seems to me that in step b, a hacker could catch the session,
correct? so are we to assume that ebay is doing something in addition
to sessions, such as IP recording, etc.?
thanks again,
dino
>a) user types their username and password into a browser, and clicks
>submit over an SSL connection
This protects the username and password. And, at this stage, the
session cookie.
>b) user then is brought to a non-ssl connection, where they click
something like "edit password"
The session cookie is exposed here, unless the cookie was a https-only
cookie. But as I recall, Ebay uses your session info for lots of
stuff (like "My Ebay") on non-secure pages, so I don't think it was
a https-only cookie.
>c) user is brought to a "change password" page, which is an SSL
connection
it seems to me that in step b, a hacker could catch the session,
correct?
Only if he is in a position to sniff your traffic, which isn't real
easy to do unless he's an employee of some company along the way:
your ISP, Ebay, a phone company, etc.
>so are we to assume that ebay is doing something in addition
to sessions, such as IP recording, etc.?
Not necessarily. They may simply *NOT CARE*. Why, for example,
do banks not require DNA tests to use a credit card? How about a
photo id? Why do they not require a PIN to use a credit card? How
about a signature even if the transaction is under $25? Because
the losses stopped don't make up for the costs and lost business
due to the hassle.
address or even the port number on your machine that's accessing
eBay's server -- data which you don't store remotely. If these don't
match they might ask you to re-authenticate.
thanks for all the replies. let me ask a specific follow up- the
sequence of events goes like this:
a) user types their username and password into a browser, and clicks
submit over an SSL connection
b) user then is brought to a non-ssl connection, where they click
something like "edit password"
c) user is brought to a "change password" page, which is an SSL
connection
it seems to me that in step b, a hacker could catch the session,
correct? so are we to assume that ebay is doing something in addition
to sessions, such as IP recording, etc.?
thanks again,
dino
dino d. wrote:
>address or even the port number on your machine that's accessing
eBay's server -- data which you don't store remotely. If these don't
match they might ask you to re-authenticate.
thanks for all the replies. let me ask a specific follow up- the
sequence of events goes like this:
a) user types their username and password into a browser, and clicks
submit over an SSL connection
b) user then is brought to a non-ssl connection, where they click
something like "edit password"
c) user is brought to a "change password" page, which is an SSL
connection
it seems to me that in step b, a hacker could catch the session,
correct? so are we to assume that ebay is doing something in addition
to sessions, such as IP recording, etc.?
thanks again,
dino
Who knows? I doubt anyone on this list is familiar with EBay's code.
So why not ask them?
But this also has nothing to do with PHP. It could be any language.
--
=============== ===
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp. js*******@attgl obal.net
=============== ===
But this also has nothing to do with PHP. It could be any language.
>
Fair enough, thanks for all the replies. Let me just post a generic,
though I hope, still PHP-relevant conclusion. Session handlers stored
in cookies are always vulnerable to packet sniffing attacks and there
is no PHP construct to do anything about this vulnerability. In other
words, if you want to tack on additional IP tracking or something,
you're on your own. Is this a fair conclusion? Thanks again for all
the replies.
Dino This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics | |
by: The Plankmeister |
last post by:
Hi...
I'm trying my hardest to understand fully how sessions work and how best to
use them. However, all I can find is information that doesn't tell me
anything other than that sessions store information between pages, which I
knew already. I want to know HOW sessions work! If anybody has any good
links to material that explains sessions fully, then please send those links
this way!
I'm particularly interested in the...
|
by: windandwaves |
last post by:
Hi Gurus
I am basically sorry that I have to bother you about this. I am a PHP
beginner and I have been studying sessions and cookies over the last few
weeks. I have learned lots, but I am missing the big picture.
Is it like this:
1. user comes to site
2. user does something (e.g. a search) that may be useful later => session
|
by: Ik Ben Het |
last post by:
Hello,
I posted a simular question in the "IIS Security" group but it think it
is more usefull to post it here.
I want to do something very simpel. Make a part of my website available
only for users with a username and password. The site is mainly ASP
based. The webserver is an IIS6 and I do NOT have access to server
settings (session timeout, security,...).
|
by: Rob |
last post by:
I have an ASP.NET application that uses forms-based
authentication. A user wishes to be able to run multiple
sessions of this application simultaneously from the
user's client machine.
The web.config file is configured as such:
<authentication mode="Forms">
<forms loginUrl="Login.aspx" protection="All"
name="myApplication"/>
</authentication>
|
by: Daniel Walzenbach |
last post by:
Hi,
I have a web application which sometimes throws an “out of memory”
exception. To get an idea what happens I traced some values using performance
monitor and got the following values (for one day):
\\FFDS24\ASP.NET Applications(_LM_W3SVC_1_Root_ATV2004)\Errors During
Execution: 7
\\FFDS24\ASP.NET Apps v1.1.4322(_LM_W3SVC_1_Root_ATV2004)\Compilations
| | |
by: Dean R. Henderson |
last post by:
For an ASP.NET web application, is there a way for one session (with
appropriate security authorization) to set a HttpSessionState variable to
point to another session and execute the Abandon command to close out the
other session?
|
by: magic_hat60622 |
last post by:
Hi all. I've got an app that dumps a user id into a session after
successful login. the login page is http://www.mydomain.com/login.php.
If the user visits pages on my site without the www (i.e.,
http://mydomain.com/foo.php), the session works fine and login state is
maintained.
If he visits http://www.mydomain.com/foo.php, the app drops the
logged-in state.
|
by: Jon Slaughter |
last post by:
Any pitfalls or stuff I need to worry about when working with sessions? I
want to write a log file and hit counter along with a login interface and
I'm trying to learn this stuff.
http://us.php.net/session
Just wondering if theres anything that I need to keep in mind while I work
on it?
Thanks,
|
by: Bookham Measures |
last post by:
Hello
We are planning to set-up a load balanced web environment. Accordingly, we
are going to change the session management on our website from the classic
ASP Session State and session variables, to a database method.
Does any one have any pointers as to how I might approach this, so that I
can have the same sort of functionality the ASP sessions give without having
to create database columns for each session variable I wish to...
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, well explore What is ONU, What Is Router, ONU & Routers main usage, and What is the difference between ONU and Router. Lets take a closer look !
Part I. Meaning of...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it.
First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
| | |
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed.
This is as boiled down as I can make it.
Here is my compilation command:
g++-12 -std=c++20 -Wnarrowing bit_field.cpp
Here is the code in...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one.
At the time of converting from word file to html my equations which are in the word document file was convert into image.
Globals.ThisAddIn.Application.ActiveDocument.Select();...
|
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols.
I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
|
by: adsilva |
last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
|
by: 6302768590 |
last post by:
Hai team
i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
| | |
by: muto222 |
last post by:
How can i add a mobile payment intergratation into php mysql website.
| |
