Security only through ssl?

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
polmac
Forum Newbie
Posts: 4
Joined: Mon Dec 14, 2009 5:53 pm

Security only through ssl?

Post by polmac »

Hi!

Could someone point me out on the right direction?

I'm trying to implement a secure login where, ideally, someone sniffing the session id of a user can not simulate being that user. :banghead:
Is that possible? or the only secure way is to avoid getting the session id sniffed by using ssl on every single request once the user has authenticated??

It sounds weird to me that the only way to do it is through ssl :dubious: , I mean, I undesrtand the need of ssl on a login page but after that... do I still need to use ssl on every request?

How do they do it on websites like, say, facebook? they don't use ssl on each request after login but I assume it is secure and someone sniffing my network wouldn't be able to impersonate me... or would they?

I would really appreciate some help since I'm stuck now due to this question...
Thx! :bow:
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Security only through ssl?

Post by kaisellgren »

If your site is not utilizing SSL/TLS, then it's possible for someone to intercept traffic.
polmac wrote:someone sniffing the session id of a user can not simulate being that user. :banghead:
If someone has the identifier, there's not much you can do about her impersonating the other user. Checking the IP-address helps to some point.
polmac wrote:or the only secure way is to avoid getting the session id sniffed by using ssl on every single request once the user has authenticated??
Essentially, a secure session based system requires SSL/TLS everywhere.
polmac wrote:It sounds weird to me that the only way to do it is through ssl :dubious: , I mean, I undesrtand the need of ssl on a login page but after that... do I still need to use ssl on every request?
If there is something valuable being sent or received, SSL/TLS should be used. Typically, the session identifier is sent on each page view until the cookie expires, so, yes, ideally you need to have SSL/TLS for pretty much everything.
polmac wrote:How do they do it on websites like, say, facebook? they don't use ssl on each request after login but I assume it is secure and someone sniffing my network wouldn't be able to impersonate me... or would they?
Facebook barely uses SSL/TLS anywhere. The session identifier flies in plain-text all over the network.
polmac
Forum Newbie
Posts: 4
Joined: Mon Dec 14, 2009 5:53 pm

Re: Security only through ssl?

Post by polmac »

This clarifies a little bit the things :teach:
Thx Kai.
Post Reply