Re: Is it possible at all to secure an unencrypted website?

Your analysis is correct. If you want it to be secure, you really need to consider SSL. Session cookies or cookies that supply authentication information are just as easily intercepted as query string parameters if the plaintext HTTP data can be sniffed.


--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
"LenaMsdn08" <LenaMsdn08@xxxxxxxxxxxxxxxx> wrote in message news:F7B2F251-62B1-410D-8C55-C6995AA65B21@xxxxxxxxxxxxxxxx
We recently had this discussion at work - someone had suggested implementing
single sign-on by passing a random 32-byte key in the query string and match
it against a database that is used by both applications. Both sites are
written in ASP.NET 1.1

It was pointed out that passing this key in the query string was a huge
security hole; anyone who intercepted the request on the Internet could then
use the key to log in.

On the other hand, wouldn't any unencrypted (using http, not https) website
be vulnerable pretty much no matter what you do? For example, even if the
session object is server-side, isn't the cookie that stores the session ID
passed in the HTTP request, so just as well as intercepting the query string,
couldn't someone intercept the cookie and hijack the session?

(My apologies for the lack of correct terminology in this post.)

.

Relevant Pages

  • Re: [Full-disclosure] [Webappsec] Paper: Weaning the Web off of Session Cookies
    ... Always good to try and raise the bar, but the world has voted cookies ... Great writeup of the state of the union for Web-based authentication methods. ... your paper is primarily an argument for fixing HTTP ... "If We Wean the Web Off of Session Cookies, This Is Some of What We'd ...
    (Full-Disclosure)
  • Re: [Webappsec] Paper: Weaning the Web off of Session Cookies
    ... Always good to try and raise the bar, but the world has voted cookies ... Great writeup of the state of the union for Web-based authentication methods. ... your paper is primarily an argument for fixing HTTP ... "If We Wean the Web Off of Session Cookies, This Is Some of What We'd ...
    (Bugtraq)
  • Re: Cookie not conserved across jump
    ... just leads to another HTTP request. ... If you also allow the session ID to ... A browser just sends the cookies it received before (let aside JS- ... You can check with Firefox' Live HTTP Headers (or HTTP ...
    (comp.lang.php)
  • Re: Sessions/Cookies between sites
    ... https sites (if the HTTP and HTTPS pages are in the same IIS application, ... used to be possible to share session state, I don't know if that was a bug ... I haven't tried it since IIS 4). ... If cookies are not set to expire or they return before the cookie expires ...
    (microsoft.public.inetserver.asp.db)
  • Is it possible at all to secure an unencrypted website?
    ... It was pointed out that passing this key in the query string was a huge ... On the other hand, wouldn't any unencrypted (using http, not https) website ... session object is server-side, isn't the cookie that stores the session ID ...
    (microsoft.public.dotnet.framework.aspnet.security)