Page 1 of 1
SSL and protecting cookies
Posted: Sat Jan 22, 2005 4:52 pm
by Stryks
I have a site which allows login from every page which isn't viewed in user mode. In other words, if you are a guest you are presented with a username and password field so you may login on every page you see.
My issue is that I am told that the only way to truely protect your cookies and sessionID from hijacking is to use SSL. My problem is that I really dont want to run the entire site using SSL for guest users, who will make up the majority of site users.
Do I even need to use SSL to collect the username and password if I switch to SSL to validate the login and then create a new session and a new cookie before redirecting back into the non-SSL site, or does this make it possible to access the username and password and therefore negate any security measures I might take.
Any advice would be great, thanks.
Posted: Mon Jan 24, 2005 1:17 am
by AGISB
Set the cookie parameters using session_set_cookie_params
Code: Select all
session_set_cookie_params(0, '/', '.yourdomain.com');
Would make the cookie work on both
http://www.yourdomain.com and e.g. secure.yourdomain.com
If you got ssl working on the same server (e.g. both on www.) you should have no trouble at all even without session_set_cookie_params.
Posted: Mon Jan 24, 2005 1:18 am
by feyd
although it's quite possible you'll get a mixed media warning.. although I haven't run HTTPS in a long time, so I can't say for sure, anymore.
Posted: Mon Jan 24, 2005 2:07 am
by Stryks
Thanks for the replies.
I'm still a bit unsure about the security threat that is involved though.
Does submitting a form to an SSL page enter secure mode BEFORE the form content is sent, thus making it secure?
I'll try that code out and see what it does .... I'm just trying to get a handle on the security aspect.
Cheers
Posted: Mon Jan 24, 2005 4:24 am
by AGISB
The form has to be on a protected page already.
Posted: Mon Jan 24, 2005 4:53 am
by Stryks
Any idea on how hotmail handle this?
When you put your email address and password in, the page is not SSL protected, yet I would assume that they have gone to great lengths to make it secure.
Surely it isnt a case of leaving a security hole there.
Posted: Mon Jan 24, 2005 5:07 am
by AGISB
Why should they make it secure? Don't expect to much from companies when it comes to free services.
Posted: Mon Jan 24, 2005 5:27 am
by Stryks
Thats not really what I mean though.
Why would they run it through the SSL certificate if you could just pick up the password before it gets there.
Dont get me wrong .... I'm not saying that you're wrong or not listening to your advice. I just want to understand why it is insecure, and figure out the best solution.
I'm actually starting to think I need to find out how a secure page call is made. I mean, when the URL begins https, does the browser seup the SSL connection before or after the POST values are sent.
Is what you are saying that this is not the case, and where can I see this in action? Actually ... where is it possible to see POST values anyhow? In the server logs?
Posted: Mon Jan 24, 2005 6:50 am
by AGISB
Traffic sniffing is not just that easy. It has to be a very skilled person to do this on any network they don't normally have access to. Its possibly easier to hack the hotmail server that going thru all the trouble to get a free email password.
Insecure means not that everyone can just do it but mearly that it is possible.
So you got to think about what you want. If you are protecting a free email password why would security be important? What could happen? Someone reads other peoples emails? Someone can spam? Not really anything that values a high security level as this would cost more bandwidth and other resources.
Credit card info e.g. is on the other hand something to protect a little bit further, as the danger of damage is much higher.
Posted: Fri Feb 18, 2005 1:01 am
by shiflett
Does submitting a form to an SSL page enter secure mode BEFORE the form content is sent, thus making it secure?
Yes, the SSL handshake takes place prior to the request being sent.
The form has to be on a protected page already.
This is false, but it is a good idea for the form to be on a secure page anyway. Users feel more comfortable when they see the lock icon while they're entering their sensitive information.
I'm actually starting to think I need to find out how a secure page call is made.
I have a free chapter on my web site that explains SSL in great detail:
http://shiflett.org/books/http-develope ... hapters/18