Jcart wrote:Regenerating the session ID shouldn't be done on every request, only on privilege changes such as login, password change, etc. Secondly, why do you require an iframe? Why not simply include() the file? Thirdly, the use of SSL is absolutely recommended to prevent session hijacking because it encrypts the actual transmission, and in no way is this technique a substitute.
Sorry to say, your solution is not a solution at all.
See
http://shiflett.org/articles/session-fixation
<<Regenerating the session ID shouldn't be done on every request, only on privilege changes such as login, password change, etc.>>
Yeah, I agree, but only because it will cause problems if someone clicks back on their browser. And, I believe the new session identifier would ONLY apply to the IFrame..
<<Secondly, why do you require an iframe? Why not simply include() the file?>>
I think you're misunderstanding the objective here. You would still need to make a secure request. How would including the file encrypt the new session identifier? I'm only encrypting what's important.
<<Thirdly, the use of SSL is absolutely recommended to prevent session hijacking because it encrypts the actual transmission, and in no way is this technique a substitute.>>
I didn't say my technique was a substitute for SSL. The idea is to use SSL as minimal as possible creating better performance. I know I don't want to run my entire site through SSL! As far as I know, you can't run some pages secure and some not. As soon as you run a non secure page your session identifier is available in plain text ready to be sniffed.
These methods are not reliable and more open to spoofs. Especially with AOL users.