Re: Session handling security

A lot of people will use sessions with some type of MD5 hash of the user information and password as well (in cookies or urls) this way it makes it way harder to fake sessions, and yes sessions can be faked depending on how they are implemented. Many session handlers forget that a substantial portion of the internet (AOL many other ISPS) connect though transparent proxies which makes the originating IP almost worthless in the session state.

-Waswas

Comment on Re: Session handling security

Replies are listed 'Best First'.
Re: Re: Session handling security by Fingo (Monk) on Aug 20, 2002 at 20:39 UTC
Is this dangerous enough to warrent the speed hit of checking name and pass every time on a site where security is not key (ie I don't use https)? Thanks, Max	[reply]
Re: Re: Re: Session handling security by waswas-fng (Curate) on Aug 20, 2002 at 21:17 UTC
Are you providing the sessions or are you using a 3rd party product or are you using perl modules to do it? It really depends why the site is password protected to begin with. If you have no need for security but just have logins to change the look and feel of a site then I would say no. If you have parts of the site that contain personal information or information that is _private_ then I would say it might make sense to deal with the overhead of doing so. The devil is in the details -- what makes sense for one site may not make any for the next. -Waswas	[reply]