Search found 33 matches
- Sat Jun 14, 2008 1:12 am
- Forum: PHP - Security
- Topic: Authentication Secure? (another login form =/ )
- Replies: 12
- Views: 2687
Re: Authentication Secure? (another login form =/ )
$password = md5($_POST['password']); You can enhance level security for you web by writing a new encryption function. As you know, md5 is not always safe now, because the dictionary for break md5 encryption using brute force had been enhance ^^. You don't need to code a new encryption method :D , j...
- Fri Jun 06, 2008 2:42 am
- Forum: PHP - Security
- Topic: php Code - Help needed
- Replies: 11
- Views: 2231
Re: php Code - Help needed
Hi All, I am in need of an urgent help. One of the companies puting a court case against me saying the following code i wrote in 2006 was the ONLY reason for server crash with another 194 sites in the same server. The following was the code i wrote.. ..and they say the following way i should have w...
- Fri Jun 06, 2008 2:06 am
- Forum: PHP - Security
- Topic: Secure and Secure items problem
- Replies: 4
- Views: 969
Re: Secure and Secure items problem
Usually what I do in your case, when all else fails, is save the file as HTML, remove the javascript from the source, then run the page through https. If you still get the message, remove some more html code and try again until you have removed the right block of code causing the problem.
- Thu May 15, 2008 8:12 am
- Forum: PHP - Security
- Topic: Prevent Session Hijacking with HTTP and a little HTTPS
- Replies: 26
- Views: 5737
Re: Prevent Session Hijacking with HTTP and a little HTTPS
The most common way of hijacking a session is through XSS with cookie-stealing javascript. Your options:.. ..2. IP/User agent locking of the session (not 100% guaranteed to work).. ..In some MITM scenarios (commonly, proxies) one could also actively modify http requests and responses. A simple chan...
- Thu May 15, 2008 6:28 am
- Forum: PHP - Security
- Topic: Prevent Session Hijacking with HTTP and a little HTTPS
- Replies: 26
- Views: 5737
Re: Prevent Session Hijacking with HTTP and a little HTTPS
I was never intending to out-do https, only http.. Anyway, I have already waved the white flag. But, you might want to go to shiflett.org and give them the heads up.. Chris is a member of this forum, I expect he'll read this eventually. Yes, I know and Mordred is his biggest fan. I'd love to see hi...
- Thu May 15, 2008 6:12 am
- Forum: PHP - Security
- Topic: Prevent Session Hijacking with HTTP and a little HTTPS
- Replies: 26
- Views: 5737
Re: Prevent Session Hijacking with HTTP and a little HTTPS
In some MITM scenarios (commonly, proxies) one could also actively modify http requests and responses. A simple change of resource URL would cause the client to leak the SID to the proxy. It's a fail, go over it. That's what https is intended for. Mordred, I was never intending to out-do https, onl...
- Thu May 15, 2008 6:02 am
- Forum: PHP - Security
- Topic: Prevent Session Hijacking with HTTP and a little HTTPS
- Replies: 26
- Views: 5737
Re: Prevent Session Hijacking with HTTP and a little HTTPS
Your method, requiring the opening of three pages, getting their information and process it... It might be even slower to regenerate, and the user might not be there to wait for that. I believe the best way would be to have all your images, javascript and stylesheets on a different domain or subdom...
- Wed May 14, 2008 4:24 am
- Forum: PHP - Security
- Topic: Prevent Session Hijacking with HTTP and a little HTTPS
- Replies: 26
- Views: 5737
Re: Prevent Session Hijacking with HTTP and a little HTTPS
Bruno De Barros, onion2k,
Instead of RegenerateIdentifier.php being a 1x1 px image, it could also be a small "Seal of Security" or "Hacker Safe" image. You could also add in the Terms of Use to wait for the seal to load. Of course this idea decreases performance slightly.
Instead of RegenerateIdentifier.php being a 1x1 px image, it could also be a small "Seal of Security" or "Hacker Safe" image. You could also add in the Terms of Use to wait for the seal to load. Of course this idea decreases performance slightly.
- Wed May 14, 2008 3:54 am
- Forum: PHP - Security
- Topic: Prevent Session Hijacking with HTTP and a little HTTPS
- Replies: 26
- Views: 5737
Re: Prevent Session Hijacking with HTTP and a little HTTPS
After performance testing, this is what I can only hope the outcome produces: (*security ratings based on session hijacking via sniffing packets) Pure HTTPS #3 Performance Rating #1 Security Rating HTTP/HTTPS Hybrid (my method) #2 Performance Rating #2 Security Rating HTTP Methods (IP and/or User Ag...
- Wed May 14, 2008 3:14 am
- Forum: PHP - Security
- Topic: Prevent Session Hijacking with HTTP and a little HTTPS
- Replies: 26
- Views: 5737
Re: Prevent Session Hijacking with HTTP and a little HTTPS
I think I've spotted another potential, albeit unlikely, problem with your solution. I load a page. This page then requests your "image" which goes to the server and returns a 302 redirect header, which my browser follows to the SSL encrypted script that regenerates the session id. If I c...
- Tue May 13, 2008 6:36 pm
- Forum: PHP - Security
- Topic: Prevent Session Hijacking with HTTP and a little HTTPS
- Replies: 26
- Views: 5737
Re: Prevent Session Hijacking with HTTP and a little HTTPS
This is the bit that confuses me. You're selling this as a security solution to defend against something, namely session hijacking via packet sniffing. The problem I have though is that SSL is a really good solution to that issue. What you're really trying to sell in this thread is a solution to sa...
- Tue May 13, 2008 3:22 am
- Forum: PHP - Security
- Topic: Prevent Session Hijacking with HTTP and a little HTTPS
- Replies: 26
- Views: 5737
Re: Prevent Session Hijacking with HTTP and a little HTTPS
vspin, SSL protects against traffic interception, which is only one way (and the less frequent one at that) of session hijacking. You are not understanding the attack and your protection attempt is inadequate. You also seem to be mixing session hijacking and session fixation, which are related, but...
- Tue May 13, 2008 3:16 am
- Forum: PHP - Security
- Topic: Prevent Session Hijacking with HTTP and a little HTTPS
- Replies: 26
- Views: 5737
Re: Prevent Session Hijacking with HTTP and a little HTTPS
You're still not paying attention to what's being said and keep trying to solve a non-problem - and keep failing at that. I won't repeat myself and onion2k why - this is a written media, go and reread it yourself. Easy with the hostility. :) I think you're speaking of performance, but I'll go rerea...
- Tue May 13, 2008 2:58 am
- Forum: PHP - Security
- Topic: Prevent Session Hijacking with HTTP and a little HTTPS
- Replies: 26
- Views: 5737
Re: Prevent Session Hijacking with HTTP and a little HTTPS
I have to say that surprises me. I would have thought it would revalidate. When I came up with the idea, I was thinking the same thing, but after I tried it, it worked. Surprised me as well. This is nice man. The third request is nice, and if you just return a 1x1 image (remember on IE 6 it will pr...
- Tue May 13, 2008 2:42 am
- Forum: PHP - Security
- Topic: Prevent Session Hijacking with HTTP and a little HTTPS
- Replies: 26
- Views: 5737
Re: Prevent Session Hijacking with HTTP and a little HTTPS
How is the new session id being transmitted to the user? It'll be a cookie in the response header for redirect.php won't it? Eg, not over SSL, unencrypted, and providing no additional security. In fact, just providing the attacker with an additional opportunity to steal it. Edit: Actually, that dep...