secure logins, protection from sessions attacks
Posted: Fri Jun 03, 2005 8:02 pm
Hi
[1]
i read a few threads mentioning replay attack. one thing came into my mind while reading proposed solution(combining password with random number, hashing it and then sending to server)
The problem is that this solution relies on assumption that javascript is enabled.I wonder if there are other options here...
[2]
look at the following scenario(i think it is called session fixation attack and mentioned in php manual under "Session Handling Functions"):
1. user fills login form and sends it to server
2. somewhere enemy listens to communication.
3. after passing authentication, server issues session id to browser.
4. enemy grabs this session id and gets full access without ever passing authentication.
Is there any protection(exept using ssl) for that kind of attack?
and related situation:
lets assume that my security strategy is to use https(ssl) connection for some critical parts of site e.g. login and then use http for the rest of user session.
But wouldn't in that case my site be vulnerable to the above scenario(session fixation attack)?
thanks...
[1]
i read a few threads mentioning replay attack. one thing came into my mind while reading proposed solution(combining password with random number, hashing it and then sending to server)
The problem is that this solution relies on assumption that javascript is enabled.I wonder if there are other options here...
[2]
look at the following scenario(i think it is called session fixation attack and mentioned in php manual under "Session Handling Functions"):
1. user fills login form and sends it to server
2. somewhere enemy listens to communication.
3. after passing authentication, server issues session id to browser.
4. enemy grabs this session id and gets full access without ever passing authentication.
Is there any protection(exept using ssl) for that kind of attack?
and related situation:
lets assume that my security strategy is to use https(ssl) connection for some critical parts of site e.g. login and then use http for the rest of user session.
But wouldn't in that case my site be vulnerable to the above scenario(session fixation attack)?
thanks...