[nycphp-talk] Session Thoughts
felix zaslavskiy
felix at students.poly.edu
Fri Oct 31 15:45:06 EST 2003
On Fri, 31 Oct 2003 12:28:54 -0800 (PST)
Chris Shiflett <shiflett at php.net> wrote:
> --- felix zaslavskiy <felix at students.poly.edu> wrote:
> > There is no magic tricks that Amazon and Yahoo to do to secure
> > their webapplication and ssl and ask for a password is really what
> > they do at the application level.
>
> I agree that it's not magic, but if you think using SSL and asking
> for a password is all that they do, or if you think this is all that
> you need to do to secure a session or a Web application in general,
> you're simply wrong.
>
> Any code written by someone with this perspective is almost assuredly
> full of security vulnerabilities.
>
I was not born under a rock and I can point to good example of Fortune 100 companies totaly screwing up security in web application. The Microsofts Hotmail password change feature comes to mind. At the HTTP level there is only few things that can be done such as use of ssl and sessionid's and asking for passwords. This is only having to do with the interactions between the browser and the web application talking. Once the control passes to the application ofcourse million and one details have to be taken care of. There is no feature that would let you automaticaly log someone one if they have not clicked on anything because they went to the restroom.
I happen to be an amazon customer and I looked up the cookies they left on my machine. There is 6 cookies 5 of which are id's and one that has sort of redirect url. They dont disguise the meanings of the cookie values for example one of 'order_cache_primed' and another is 'sessionid'. I entered a restricted function like change billing and i noticed that my session id has not changed from since before. So I conclude that even if i walk away for 10 meninutes now anyone can come and muck around in my amazon account.
> Chris
>
> =====
> My Blog
> http://shiflett.org/
> HTTP Developer's Handbook
> http://httphandbook.org/
> RAMP Training Courses
> http://www.nyphp.org/ramp
> _______________________________________________
> talk mailing list
> talk at lists.nyphp.org
> http://lists.nyphp.org/mailman/listinfo/talk
>
More information about the talk
mailing list