Security of HTTP based authentication

Leo Lapworth leo at cuckoo.org
Wed Jan 12 07:41:39 GMT 2011


On 12 January 2011 07:26, Zbigniew Lukasiak <zzbbyy at gmail.com> wrote:

> >From http://en.wikipedia.org/wiki/HTTP_cookie#Cookie_hijacking :
>
> "a large number of websites, although using encrypted HTTPS
> communication for user authentication (i.e. the login page),
> subsequently send session cookies and other data over ordinary,
> unencrypted HTTP connections for performance reasons. Attackers can
> therefore easily intercept the cookies of other users and impersonate
> them on the relevant websites"
>
> So what is the current 'state of art' solution - all application data
> through HTTPS and only images via HTTP?
>

We set 2 cookies, https (session only) and http (x days)

/account/secure/...
- HTTPS
- allows viewing of sensitive information
- updating of any account information
- must login each session
- ALL page content is https (e.g. images/js/css as well), we do not mix with
HTTP

/account/ and actually the rest of /
- HTTP
- User object available on every page... but restricted...
- Only has basic viewing of non-sensitive information
- Can actually update some VERY mundane information - saved items (we do not
have a shopping basket so this couldn't pollute an order)
- Lets users get on with 80% of stuff without having to login each time
(works for our specific senario).

Hope that helps

Leo


More information about the london.pm mailing list