Reaing that paper mentioned now in the php manual, titled "Session
Fixation", one is taken to think that https can help in quite a bit of
cases. As I started reflecting on this, it is clear that, whenever you
carry some token-credential in your headers, eg a session cookie that
grants authentication, it is safe to travel inside the SSL tunnel. And
stick to it. Because anytime you inadvertely click on a link that has
not 'https' in front of it, you transit all you headers openly through
the net, with no encryption. I know there are 'secure' cookies, that
would only exist inside https.
My question is: who's task is it to prevent the user exiting the SSL
tunnel while still carrying all his credentials? Is it reasonable that
an athenticated user can go in and out the https protocol, without
loosing any of his authentication? I know this is all obsolete, because
we all are goig ti use client certificates, but for the meantime this is
what we have to cope with, as Maxim wrote.
Gian
|
