SSL and protecting cookies
Moderator: General Moderators
SSL and protecting cookies
I have a site which allows login from every page which isn't viewed in user mode. In other words, if you are a guest you are presented with a username and password field so you may login on every page you see.
My issue is that I am told that the only way to truely protect your cookies and sessionID from hijacking is to use SSL. My problem is that I really dont want to run the entire site using SSL for guest users, who will make up the majority of site users.
Do I even need to use SSL to collect the username and password if I switch to SSL to validate the login and then create a new session and a new cookie before redirecting back into the non-SSL site, or does this make it possible to access the username and password and therefore negate any security measures I might take.
Any advice would be great, thanks.
My issue is that I am told that the only way to truely protect your cookies and sessionID from hijacking is to use SSL. My problem is that I really dont want to run the entire site using SSL for guest users, who will make up the majority of site users.
Do I even need to use SSL to collect the username and password if I switch to SSL to validate the login and then create a new session and a new cookie before redirecting back into the non-SSL site, or does this make it possible to access the username and password and therefore negate any security measures I might take.
Any advice would be great, thanks.
Set the cookie parameters using session_set_cookie_params
Would make the cookie work on both http://www.yourdomain.com and e.g. secure.yourdomain.com
If you got ssl working on the same server (e.g. both on www.) you should have no trouble at all even without session_set_cookie_params.
Code: Select all
session_set_cookie_params(0, '/', '.yourdomain.com');Would make the cookie work on both http://www.yourdomain.com and e.g. secure.yourdomain.com
If you got ssl working on the same server (e.g. both on www.) you should have no trouble at all even without session_set_cookie_params.
Thanks for the replies.
I'm still a bit unsure about the security threat that is involved though.
Does submitting a form to an SSL page enter secure mode BEFORE the form content is sent, thus making it secure?
I'll try that code out and see what it does .... I'm just trying to get a handle on the security aspect.
Cheers
I'm still a bit unsure about the security threat that is involved though.
Does submitting a form to an SSL page enter secure mode BEFORE the form content is sent, thus making it secure?
I'll try that code out and see what it does .... I'm just trying to get a handle on the security aspect.
Cheers
Thats not really what I mean though.
Why would they run it through the SSL certificate if you could just pick up the password before it gets there.
Dont get me wrong .... I'm not saying that you're wrong or not listening to your advice. I just want to understand why it is insecure, and figure out the best solution.
I'm actually starting to think I need to find out how a secure page call is made. I mean, when the URL begins https, does the browser seup the SSL connection before or after the POST values are sent.
Is what you are saying that this is not the case, and where can I see this in action? Actually ... where is it possible to see POST values anyhow? In the server logs?
Why would they run it through the SSL certificate if you could just pick up the password before it gets there.
Dont get me wrong .... I'm not saying that you're wrong or not listening to your advice. I just want to understand why it is insecure, and figure out the best solution.
I'm actually starting to think I need to find out how a secure page call is made. I mean, when the URL begins https, does the browser seup the SSL connection before or after the POST values are sent.
Is what you are saying that this is not the case, and where can I see this in action? Actually ... where is it possible to see POST values anyhow? In the server logs?
Traffic sniffing is not just that easy. It has to be a very skilled person to do this on any network they don't normally have access to. Its possibly easier to hack the hotmail server that going thru all the trouble to get a free email password.
Insecure means not that everyone can just do it but mearly that it is possible.
So you got to think about what you want. If you are protecting a free email password why would security be important? What could happen? Someone reads other peoples emails? Someone can spam? Not really anything that values a high security level as this would cost more bandwidth and other resources.
Credit card info e.g. is on the other hand something to protect a little bit further, as the danger of damage is much higher.
Insecure means not that everyone can just do it but mearly that it is possible.
So you got to think about what you want. If you are protecting a free email password why would security be important? What could happen? Someone reads other peoples emails? Someone can spam? Not really anything that values a high security level as this would cost more bandwidth and other resources.
Credit card info e.g. is on the other hand something to protect a little bit further, as the danger of damage is much higher.
Yes, the SSL handshake takes place prior to the request being sent.Does submitting a form to an SSL page enter secure mode BEFORE the form content is sent, thus making it secure?
This is false, but it is a good idea for the form to be on a secure page anyway. Users feel more comfortable when they see the lock icon while they're entering their sensitive information.The form has to be on a protected page already.
I have a free chapter on my web site that explains SSL in great detail:I'm actually starting to think I need to find out how a secure page call is made.
http://shiflett.org/books/http-develope ... hapters/18