Re: Cookieless Sessions (Sessions Without Cookies) and Security
- From: Dominick Baier <dbaier@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Fri, 29 Sep 2006 23:00:22 +0000 (UTC)
You always have to use SSL if you care about the data on the wire!
If someone can sniff your connection (no SSL) - there is no difference between cookies and cookieless security-wise.
Cookie-less have different (additional) problems:
- session fixation (someone sends you a link with a pre-generated session)
- user copy&paste session URL and send them e.g. via mail
- id is visible in browser (screenshots etc.)
---
Dominick Baier, DevelopMentor
http://www.leastprivilege.com
Thanks for the quick reply.
Some suggest that SSL is the cure all for cookieless sessions. I did
not want to due this initially, but if will allow the secure use of
cookieless sessions, it may be the only option. What are your
thoughts? Does SSL close the security gaps opened by cookieless
sessions, or at least make them as secure as sessions with cookies?
Here is another thought: are sessions with cookies really that much
more secure than cookieless sessions? If someone knows how to obtain
your URL from a remote location, that same person can probably spoof
your cookie.
.
- References:
- Prev by Date: Re: Programmatically enable trace debug for a page
- Next by Date: Re: Programmatically enable trace debug for a page
- Previous by thread: Re: Cookieless Sessions (Sessions Without Cookies) and Security
- Next by thread: Re: Page.User object
- Index(es):
Relevant Pages
|
