Page 2 of 2
Re: Security Ideas [sessions/cookies]
Posted: Sun Jun 11, 2006 3:41 pm
by alex.barylski
The alternative, as you mention, is passing the session id in the url. The risk with doing so is that it is easy to capture over the wire
That same risk applies regardless of how the SID is maintained...
The only disadvantage to using URL propagation is it's visible to someone peaking over your shoulder and there is also the risk someone sends a link to a web page in an email or something similiar...but there are techniques to prevent this from being an issue as well...I mean programatically too...not beating up anyone who peaks over your shoulder
and its also passed to other sites when you leave
Only for the unaware...there is a setting in php.ini which prevents URL propagation for external links...
Non-relative URLs are assumed to point to external sites and hence don't append the SID, as it would be a security risk to leak the SID to a different server
http://ca3.php.net/manual/en/ref.sessio ... -trans-sid
(It should be noted that despite these issues, temporary cookies are practically just as easy to capture over the wire - just not by referrer).
Ignore what I said at the start of this thread
I should note...that the biggest downfall to using URL propagation is that it's not as reliable, in that, Javascript generated menus which link to your site likely won't have the SID in their URL's as the menu may possibly be created client side after URL matching has been completed by PHP session functions. Also Flash links become useless, etc...
Both cookies and URL's have their ups and downs...but really their both secure if the right techniques are used.
Cheers

Posted: Sun Jun 11, 2006 4:37 pm
by Maugrim_The_Reaper
Bank card number? Ewww....
Posted: Sun Jun 11, 2006 5:23 pm
by alex.barylski
Maugrim_The_Reaper wrote:Bank card number? Ewww....
It's a pain in the a$$ to type...let alone remember...so it's kind of a nice fature I thought...
Posted: Sun Jun 11, 2006 11:56 pm
by RobertGonzalez
daou wrote:Code: Select all
if ($_COOKIE['key'] == $_SESSION['key'] && $_SERVER['REMOTE_ADDR'] == $_SESSION['ip_address']) {
give a new value for key, save it into the cookie and session variable
load the page
}
else
end session
So if a users IP changes (say like with a Broadband connection or with a router that resolves its own IPs) then there session is killed? Sound like it could frustrate a user...
Posted: Mon Jun 12, 2006 12:08 am
by matthijs
How does a site like amazon does it?
Amazon will remember you, so you can do some basic stuff. Like seeing what items you watched last time, see your wish list etc. But as soon as you want to do something with a higher level of risk involved, you're asked for your password.
Just looked it up: I think Ilia Alshanetsky calls this a multi-tier authentication system which uses two seperate cookies. One long duration cookie for read-only access. Logging in (again) creates a second, short-term session that allows you to do more sensitive things.
Arborint, if your idea of creating a cookie class takes place I will follow it with interest. Haven't done much with sessions yet so not sure if I could contribute a lot..
Posted: Mon Jun 12, 2006 3:03 am
by Maugrim_The_Reaper
Isn't a bankcard number sensitive data? Could be just me now

, in Ireland a bank card number is one basis of authentication to online bank account access. Would prefer it did not sit on a PC in a nice little text file for anyone to gawk at...

. It's probably not the same thing outside Ireland's aging banking system....
Posted: Mon Jun 12, 2006 8:47 pm
by alex.barylski
Maugrim_The_Reaper wrote:
Isn't a bankcard number sensitive data? Could be just me now

, in Ireland a bank card number is one basis of authentication to online bank account access. Would prefer it did not sit on a PC in a nice little text file for anyone to gawk at...

. It's probably not the same thing outside Ireland's aging banking system....
Well...it'a actually only a client card number for debit transactions as far as I know...in which case fraudulent use would be difficult as you absolutely need the car to perform any actions...it's not a credit card number...
Inorder for the number to have any use, outside of identifying you you need a 6 digit PIN (Personal identification number) and the physical car itself...
So no...it's not really a security risk I don't think
