Page 1 of 1

Security only through ssl?

Posted: Mon Dec 14, 2009 6:07 pm
by polmac
Hi!

Could someone point me out on the right direction?

I'm trying to implement a secure login where, ideally, someone sniffing the session id of a user can not simulate being that user. :banghead:
Is that possible? or the only secure way is to avoid getting the session id sniffed by using ssl on every single request once the user has authenticated??

It sounds weird to me that the only way to do it is through ssl :dubious: , I mean, I undesrtand the need of ssl on a login page but after that... do I still need to use ssl on every request?

How do they do it on websites like, say, facebook? they don't use ssl on each request after login but I assume it is secure and someone sniffing my network wouldn't be able to impersonate me... or would they?

I would really appreciate some help since I'm stuck now due to this question...
Thx! :bow:

Re: Security only through ssl?

Posted: Tue Dec 15, 2009 7:07 am
by kaisellgren
If your site is not utilizing SSL/TLS, then it's possible for someone to intercept traffic.
polmac wrote:someone sniffing the session id of a user can not simulate being that user. :banghead:
If someone has the identifier, there's not much you can do about her impersonating the other user. Checking the IP-address helps to some point.
polmac wrote:or the only secure way is to avoid getting the session id sniffed by using ssl on every single request once the user has authenticated??
Essentially, a secure session based system requires SSL/TLS everywhere.
polmac wrote:It sounds weird to me that the only way to do it is through ssl :dubious: , I mean, I undesrtand the need of ssl on a login page but after that... do I still need to use ssl on every request?
If there is something valuable being sent or received, SSL/TLS should be used. Typically, the session identifier is sent on each page view until the cookie expires, so, yes, ideally you need to have SSL/TLS for pretty much everything.
polmac wrote:How do they do it on websites like, say, facebook? they don't use ssl on each request after login but I assume it is secure and someone sniffing my network wouldn't be able to impersonate me... or would they?
Facebook barely uses SSL/TLS anywhere. The session identifier flies in plain-text all over the network.

Re: Security only through ssl?

Posted: Wed Dec 16, 2009 5:46 pm
by polmac
This clarifies a little bit the things :teach:
Thx Kai.