Security of HTTP based authentication
Zbigniew Lukasiak
zzbbyy at gmail.com
Wed Jan 12 07:26:23 GMT 2011
>From http://en.wikipedia.org/wiki/HTTP_cookie#Cookie_hijacking :
"a large number of websites, although using encrypted HTTPS
communication for user authentication (i.e. the login page),
subsequently send session cookies and other data over ordinary,
unencrypted HTTP connections for performance reasons. Attackers can
therefore easily intercept the cookies of other users and impersonate
them on the relevant websites"
So what is the current 'state of art' solution - all application data
through HTTPS and only images via HTTP?
I imagine that one could also use two cookies - one secure and one
ordinary session - and then send a link to an empty image over https
to periodically authenticate the ordinary session with the secure
cookie. But that seems a bit complicated - and guarantees only
partial security - the attacker would be able to successfully send a
few requests.
--
Zbigniew Lukasiak
http://brudnopis.blogspot.com/
http://perlalchemy.blogspot.com/
More information about the london.pm
mailing list