Security only through ssl?
Posted: Mon Dec 14, 2009 6:07 pm
Hi!
Could someone point me out on the right direction?
I'm trying to implement a secure login where, ideally, someone sniffing the session id of a user can not simulate being that user.
Is that possible? or the only secure way is to avoid getting the session id sniffed by using ssl on every single request once the user has authenticated??
It sounds weird to me that the only way to do it is through ssl
, I mean, I undesrtand the need of ssl on a login page but after that... do I still need to use ssl on every request?
How do they do it on websites like, say, facebook? they don't use ssl on each request after login but I assume it is secure and someone sniffing my network wouldn't be able to impersonate me... or would they?
I would really appreciate some help since I'm stuck now due to this question...
Thx!
Could someone point me out on the right direction?
I'm trying to implement a secure login where, ideally, someone sniffing the session id of a user can not simulate being that user.
Is that possible? or the only secure way is to avoid getting the session id sniffed by using ssl on every single request once the user has authenticated??
It sounds weird to me that the only way to do it is through ssl
How do they do it on websites like, say, facebook? they don't use ssl on each request after login but I assume it is secure and someone sniffing my network wouldn't be able to impersonate me... or would they?
I would really appreciate some help since I'm stuck now due to this question...
Thx!