Page 1 of 1

to use session cookies or not to use session cookies

Posted: Sat Aug 04, 2007 11:34 pm
by tecktalkcm0391
I was wondering what was more secure using session cookies or not using session cookies... whats the pros and cons?

Thanks!

Posted: Sat Aug 04, 2007 11:48 pm
by Benjamin
Well neither. Session data is stored on the server. Passing the session id around can be the security issue because this can allow others to hijack the session, which can happen with or without without cookies.

Posted: Sat Aug 04, 2007 11:51 pm
by tecktalkcm0391
so checking the users login IP address versus the one being used would help, but can't that be hijacked too?

Posted: Sat Aug 04, 2007 11:55 pm
by Benjamin
That's another issue, you can't check the IP because a lot of times it can change per page request. This usually happens with AOL users because they route http requests through clusters of proxy servers.

Posted: Sun Aug 05, 2007 12:28 am
by tecktalkcm0391
astions wrote:That's another issue, you can't check the IP because a lot of times it can change per page request. This usually happens with AOL users because they route http requests through clusters of proxy servers.
Thats what I thought. Any suggestions on how to prevent stealing a session from computer to computer?

Posted: Sun Aug 05, 2007 12:41 am
by Benjamin
You can somewhat mitigate the risk of sessions being hijacked by changing the session id often, maybe even per page request.

Posted: Sun Aug 05, 2007 12:45 am
by tecktalkcm0391
astions wrote:You can somewhat mitigate the risk of sessions being hijacked by changing the session id often, maybe even per page request.
good idea. i think thats what myspace does with MyToken

Posted: Sun Aug 05, 2007 12:52 am
by Benjamin
Without looking into it, that could be a randomly generated string to prevent pages from being cached.

Posted: Sun Aug 05, 2007 8:35 am
by superdezign
tecktalkcm0391 wrote:
astions wrote:You can somewhat mitigate the risk of sessions being hijacked by changing the session id often, maybe even per page request.
good idea. i think thats what myspace does with MyToken
Hehe, I've stolen a "MyToken" before and was automatically logged into their account after loading it into my cookies. It didn't work the last time I did it though, and a good thing, too. If any website on the entire internet should put more effort into security, it's MySpace.

Posted: Sun Aug 05, 2007 10:35 pm
by tecktalkcm0391
superdezign wrote:If any website on the entire internet should put more effort into security, it's MySpace.
Yeah they need to be... expecially because I can login using just the letters in my password in any case...
password - works
pAssword - works
PASSWORD -- works... ect.

Posted: Sun Aug 05, 2007 11:10 pm
by superdezign
tecktalkcm0391 wrote:
superdezign wrote:If any website on the entire internet should put more effort into security, it's MySpace.
Yeah they need to be... expecially because I can login using just the letters in my password in any case...
password - works
pAssword - works
PASSWORD -- works... ect.
Case-insensitive passwords? That's.... that's dumb.

Posted: Mon Aug 06, 2007 11:56 am
by Benjamin
Hmm, that probably means they are either not encrypting them, or they are converting them to lower case or upper case before encrypting them.

Posted: Mon Aug 06, 2007 12:30 pm
by tecktalkcm0391
astions wrote:Hmm, that probably means they are either not encrypting them, or they are converting them to lower case or upper case before encrypting them.
Yeah, but myspace passwords should be encrypted, and isn't it easier to guess passwords that are all lowercase then something like: PasSWOrD07

Posted: Mon Aug 06, 2007 2:02 pm
by Benjamin
I would hate to see their code base.

Posted: Mon Aug 06, 2007 5:49 pm
by s.dot
To go further off topic ;)

I changed my password with them. Now BOTH passwords works.