hi all.. thanx for everyone who replied to my last post.
i use SSL for my web site transactions, i'm worried that if there is on the network a hacker with a sniffer program to capture packets sent from and to my clients. the packet and the session key are encrypted and i guarantee that he cannot read anything from the packet, but ..... what if he captured the encrypted session key and used it to intercept the client's session.
is there any solution other than using client's certificates?? i check in my sessions for the client IP address but this is not enough coz the hacker might use the same IP addresses in the packet (IP spoofing).
thanx in advance
session key problem
Moderator: General Moderators
You might find this article helpful:
http://shiflett.org/articles/the-truth-about-sessions
This is a difficult problem without a perfect solution, although ensuring that the session identifier is only sent in requests protected with SSL is a very strong approach.
http://shiflett.org/articles/the-truth-about-sessions
This is a difficult problem without a perfect solution, although ensuring that the session identifier is only sent in requests protected with SSL is a very strong approach.