[Phplib-users] more on session fixation...
Brought to you by:
nhruby,
richardarcher
Menu
▾
▴
[Phplib-users] more on session fixation...
|
From: Giancarlo <gia...@na...> - 2003-02-26 21:08:38
|
Reaing that paper mentioned now in the php manual, titled "Session Fixation", one is taken to think that https can help in quite a bit of cases. As I started reflecting on this, it is clear that, whenever you carry some token-credential in your headers, eg a session cookie that grants authentication, it is safe to travel inside the SSL tunnel. And stick to it. Because anytime you inadvertely click on a link that has not 'https' in front of it, you transit all you headers openly through the net, with no encryption. I know there are 'secure' cookies, that would only exist inside https. My question is: who's task is it to prevent the user exiting the SSL tunnel while still carrying all his credentials? Is it reasonable that an athenticated user can go in and out the https protocol, without loosing any of his authentication? I know this is all obsolete, because we all are goig ti use client certificates, but for the meantime this is what we have to cope with, as Maxim wrote. Gian |
