[nycphp-talk] Session security: protecting against hijacking attempts
Eric Rank
flakie at gmail.com
Wed Dec 15 20:42:43 EST 2004
Thanks for the feedback.
Using SSL will be an option when it's available. I'm just trying to
figure out some best practices in order to stop the gaps as much as
possible. I just want to know what IS possible and if I'm missing
anything.
>From the responses so far, it seems that (just as you say, Chris) I
should use SSL for the really important stuff. Otherwise, a mixture of
timeout settings, useragent and ip verification, and possibly the use
of cookies, are the best, if not only, means of verifying the session.
Although, my gut tells me that there's some other creative solution possible...
- Eric Rank
> > Is this something that needs to be worried about, or am I just paranoind?
>
> Yes. ;-)
>
> No, not really -- you need to think about what harm can come from
> someone impersonating an authenticated user of your application.
> Falsified posts on a message board are usually no big deal, but
> defacement of your Fortune 500 company's dynamic website would be a
> much bigger concern.
>
> Just because it's relatively easy to do, doesn't mean that anyone will
> ever take the trouble to do it. If the possibility keeps you awake at
> night, use SSL. Otherwise don't sweat it.
More information about the talk
mailing list