Search found 33 matches

by vspin
Sat Jun 14, 2008 1:12 am
Forum: PHP - Security
Topic: Authentication Secure? (another login form =/ )
Replies: 12
Views: 2687

Re: Authentication Secure? (another login form =/ )

$password = md5($_POST['password']); You can enhance level security for you web by writing a new encryption function. As you know, md5 is not always safe now, because the dictionary for break md5 encryption using brute force had been enhance ^^. You don't need to code a new encryption method :D , j...
by vspin
Fri Jun 06, 2008 2:42 am
Forum: PHP - Security
Topic: php Code - Help needed
Replies: 11
Views: 2231

Re: php Code - Help needed

Hi All, I am in need of an urgent help. One of the companies puting a court case against me saying the following code i wrote in 2006 was the ONLY reason for server crash with another 194 sites in the same server. The following was the code i wrote.. ..and they say the following way i should have w...
by vspin
Fri Jun 06, 2008 2:06 am
Forum: PHP - Security
Topic: Secure and Secure items problem
Replies: 4
Views: 969

Re: Secure and Secure items problem

Usually what I do in your case, when all else fails, is save the file as HTML, remove the javascript from the source, then run the page through https. If you still get the message, remove some more html code and try again until you have removed the right block of code causing the problem.
by vspin
Thu May 15, 2008 8:12 am
Forum: PHP - Security
Topic: Prevent Session Hijacking with HTTP and a little HTTPS
Replies: 26
Views: 5737

Re: Prevent Session Hijacking with HTTP and a little HTTPS

The most common way of hijacking a session is through XSS with cookie-stealing javascript. Your options:.. ..2. IP/User agent locking of the session (not 100% guaranteed to work).. ..In some MITM scenarios (commonly, proxies) one could also actively modify http requests and responses. A simple chan...
by vspin
Thu May 15, 2008 6:28 am
Forum: PHP - Security
Topic: Prevent Session Hijacking with HTTP and a little HTTPS
Replies: 26
Views: 5737

Re: Prevent Session Hijacking with HTTP and a little HTTPS

I was never intending to out-do https, only http.. Anyway, I have already waved the white flag. But, you might want to go to shiflett.org and give them the heads up.. Chris is a member of this forum, I expect he'll read this eventually. Yes, I know and Mordred is his biggest fan. I'd love to see hi...
by vspin
Thu May 15, 2008 6:12 am
Forum: PHP - Security
Topic: Prevent Session Hijacking with HTTP and a little HTTPS
Replies: 26
Views: 5737

Re: Prevent Session Hijacking with HTTP and a little HTTPS

In some MITM scenarios (commonly, proxies) one could also actively modify http requests and responses. A simple change of resource URL would cause the client to leak the SID to the proxy. It's a fail, go over it. That's what https is intended for. Mordred, I was never intending to out-do https, onl...
by vspin
Thu May 15, 2008 6:02 am
Forum: PHP - Security
Topic: Prevent Session Hijacking with HTTP and a little HTTPS
Replies: 26
Views: 5737

Re: Prevent Session Hijacking with HTTP and a little HTTPS

Your method, requiring the opening of three pages, getting their information and process it... It might be even slower to regenerate, and the user might not be there to wait for that. I believe the best way would be to have all your images, javascript and stylesheets on a different domain or subdom...
by vspin
Wed May 14, 2008 4:24 am
Forum: PHP - Security
Topic: Prevent Session Hijacking with HTTP and a little HTTPS
Replies: 26
Views: 5737

Re: Prevent Session Hijacking with HTTP and a little HTTPS

Bruno De Barros, onion2k,

Instead of RegenerateIdentifier.php being a 1x1 px image, it could also be a small "Seal of Security" or "Hacker Safe" image. You could also add in the Terms of Use to wait for the seal to load. Of course this idea decreases performance slightly.
by vspin
Wed May 14, 2008 3:54 am
Forum: PHP - Security
Topic: Prevent Session Hijacking with HTTP and a little HTTPS
Replies: 26
Views: 5737

Re: Prevent Session Hijacking with HTTP and a little HTTPS

After performance testing, this is what I can only hope the outcome produces: (*security ratings based on session hijacking via sniffing packets) Pure HTTPS #3 Performance Rating #1 Security Rating HTTP/HTTPS Hybrid (my method) #2 Performance Rating #2 Security Rating HTTP Methods (IP and/or User Ag...
by vspin
Wed May 14, 2008 3:14 am
Forum: PHP - Security
Topic: Prevent Session Hijacking with HTTP and a little HTTPS
Replies: 26
Views: 5737

Re: Prevent Session Hijacking with HTTP and a little HTTPS

I think I've spotted another potential, albeit unlikely, problem with your solution. I load a page. This page then requests your "image" which goes to the server and returns a 302 redirect header, which my browser follows to the SSL encrypted script that regenerates the session id. If I c...
by vspin
Tue May 13, 2008 6:36 pm
Forum: PHP - Security
Topic: Prevent Session Hijacking with HTTP and a little HTTPS
Replies: 26
Views: 5737

Re: Prevent Session Hijacking with HTTP and a little HTTPS

This is the bit that confuses me. You're selling this as a security solution to defend against something, namely session hijacking via packet sniffing. The problem I have though is that SSL is a really good solution to that issue. What you're really trying to sell in this thread is a solution to sa...
by vspin
Tue May 13, 2008 3:22 am
Forum: PHP - Security
Topic: Prevent Session Hijacking with HTTP and a little HTTPS
Replies: 26
Views: 5737

Re: Prevent Session Hijacking with HTTP and a little HTTPS

vspin, SSL protects against traffic interception, which is only one way (and the less frequent one at that) of session hijacking. You are not understanding the attack and your protection attempt is inadequate. You also seem to be mixing session hijacking and session fixation, which are related, but...
by vspin
Tue May 13, 2008 3:16 am
Forum: PHP - Security
Topic: Prevent Session Hijacking with HTTP and a little HTTPS
Replies: 26
Views: 5737

Re: Prevent Session Hijacking with HTTP and a little HTTPS

You're still not paying attention to what's being said and keep trying to solve a non-problem - and keep failing at that. I won't repeat myself and onion2k why - this is a written media, go and reread it yourself. Easy with the hostility. :) I think you're speaking of performance, but I'll go rerea...
by vspin
Tue May 13, 2008 2:58 am
Forum: PHP - Security
Topic: Prevent Session Hijacking with HTTP and a little HTTPS
Replies: 26
Views: 5737

Re: Prevent Session Hijacking with HTTP and a little HTTPS

I have to say that surprises me. I would have thought it would revalidate. When I came up with the idea, I was thinking the same thing, but after I tried it, it worked. Surprised me as well. This is nice man. The third request is nice, and if you just return a 1x1 image (remember on IE 6 it will pr...
by vspin
Tue May 13, 2008 2:42 am
Forum: PHP - Security
Topic: Prevent Session Hijacking with HTTP and a little HTTPS
Replies: 26
Views: 5737

Re: Prevent Session Hijacking with HTTP and a little HTTPS

How is the new session id being transmitted to the user? It'll be a cookie in the response header for redirect.php won't it? Eg, not over SSL, unencrypted, and providing no additional security. In fact, just providing the attacker with an additional opportunity to steal it. Edit: Actually, that dep...