Re: Advice on when to use SSL? esp. Session ID security
From: Patrice Scribe (scribe@chez.com)
Date: 04/04/03
- Next message: Kristof Van Praet: "Writing to a network folder from a webservice"
- Previous message: Neil Mc: "RE: forms authentication cookie problem"
- In reply to: Luke Arms: "Advice on when to use SSL? esp. Session ID security"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Patrice Scribe" <scribe@chez.com> Date: Fri, 4 Apr 2003 13:08:30 +0200
Cross Side Scripting should allow to stole this information. Besides
protecting your site against CSS you could also change this ID with each
round trip (I believe this is what IIS does for its own session identifier).
Anyway I'm afraid that security is a never ending process.
Patrice
-- "Luke Arms" <linarms@yahoo.com> a écrit dans le message de news: Xns935392ACABFD0linarmsyahoocom@61.8.0.29... > Hi, > > I'm just trying to assess when/how much to use SSL encryption on an ASP.NET > site. Obviously I'll be using it on the login page, but what do people > think about retaining SSL for the duration of the user's session? My > primary concern is that although 'crackers' might be unable to get a > username/password, they could possibly forge a session cookie after the > user logs on and returns to a standard HTTP connection. To what extent > should this be a genuine concern? Given the overhead of running an entire > site over SSL if a user's logged on, it would be preferable to only use > HTTPS for the login page ... > > Any comments? > > Thanks, > > Luke
- Next message: Kristof Van Praet: "Writing to a network folder from a webservice"
- Previous message: Neil Mc: "RE: forms authentication cookie problem"
- In reply to: Luke Arms: "Advice on when to use SSL? esp. Session ID security"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
