|
Posted by Ben Ramsey on 10/19/53 11:31
On 11/8/05 10:27 PM, Tony Di Croce wrote:
>
> The sites are both physically located on the same machine.
>
> What if I encrypt the session_id, and put it in a "hidden" text input
> box in a form, that is delivered via POST to the other site. This way,
> the session id is passed, but it is encrypted?
To me, it's not a question of whether the sites are physically located
on the same machine, and it's not a question of encrypting the session
id. Anyone who even knows the encrypted session id could then POST it to
the form in a replay attack, authenticating themselves as the intended
user. Also, hidden form fields aren't really "hidden."
For me, it's a question of practice. I would not attempt to share a
session across to different domains. Even large sites (such as Yahoo)
don't seem to do this.
Yahoo appears to maintain sessions across its subdomains, and, for this
reason, all Yahoo images are served from a completely separate domain
(yimg.com). None of the images served from yimg.com contain the cookie
headers associated with yahoo.com (and, thus, they are not associated
with any user sessions). There are two reasons (I know of) for doing
this: 1) bandwidth (less data passing across the HTTP headers), and 2)
it prevents CSRF attacks on Yahoo user accounts that could occur by
attackers serving images from a yahoo.com domain on other sites.
I do know that Yahoo owns Flickr now, and I know that you are able to
log into Flickr with your Yahoo account, but you cannot log into Yahoo!
Mail and then go to Flickr and expect to be logged in. You must also
authenticate yourself with Flickr. Now, you may notice and be tempted to
point out that, when you authenticate yourself on Flickr with your Yahoo
id, you are doing so from login.yahoo.com. This may be so, but Yahoo
then passes some long "obfuscated" hash back to Flickr, where, I
believe, Flickr is actually setting the session rather than sharing a
session from Yahoo (someone else may correct me on this). This hash,
however, is none other than a base64 encoded string that can be decoded
like so:
echo urldecode(base64_decode($var));
This does not, however, include your password information, or, if it
does, it's even more securely encrypted in the values that you see when
you decode it (as shown above). Neverthess, I could potentially (if I
were stupid) paste the full Flickr URL to which Yahoo redirects me here
and everyone of you would have immediate access to my Flickr account.
Thankfully, it all happens in the background, so the normal user would
never see this URL in their browser--it's all part of the HTTP Location
headers redirecting them around. (Still not wholly secure, as I was able
to see it and grab it, but it's more secure than exposing the URL to the
user in the browser.)
Still, I don't think Flickr is sharing the Yahoo session; it is,
however, sharing the database information, I imagine.
So, I say all that to say this: I just don't think it's a good practice
to share sessions across two different domains. If you must share
profile information, then (in my opinion) require authentication and a
separate session on the second domain. Otherwise, use a subdomain to
share sessions.
--
Ben Ramsey
http://benramsey.com/
Navigation:
[Reply to this message]
|