session key problem

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
ashosheh
Forum Newbie
Posts: 3
Joined: Sun Jan 01, 2006 9:00 am

session key problem

Post by ashosheh »

hi all.. thanx for everyone who replied to my last post.
i use SSL for my web site transactions, i'm worried that if there is on the network a hacker with a sniffer program to capture packets sent from and to my clients. the packet and the session key are encrypted and i guarantee that he cannot read anything from the packet, but ..... what if he captured the encrypted session key and used it to intercept the client's session.
is there any solution other than using client's certificates?? i check in my sessions for the client IP address but this is not enough coz the hacker might use the same IP addresses in the packet (IP spoofing).

thanx in advance
User avatar
shiflett
Forum Contributor
Posts: 124
Joined: Sun Feb 06, 2005 11:22 am

Post by shiflett »

You might find this article helpful:

http://shiflett.org/articles/the-truth-about-sessions

This is a difficult problem without a perfect solution, although ensuring that the session identifier is only sent in requests protected with SSL is a very strong approach.
Post Reply