Posted by Jerry Stuckle on 03/12/07 23:10

dino d. wrote:
> Hi Everyone-
>
> I was reading a few posts about sessions and security, and it seems
> that the best way to address sessions security is to require
> authentication every time the user needs to get to sensitive data (or
> protect the session data with SSL). In other words, assume that the
> world can see your session data stored in cookies if you're not using
> SSL. So, I started looking for exceptions to this rule of thumb
> (requiring authentication for sensitive data, even if the user has
> already logged in and has session data in a cookie), and I found one
> on ebay. If you log on to ebay, and then go to your personal
> information, and then try to edit, say, your credit card information,
> you are asked to log in. However, if you check the check box that
> says "keep me logged in for 1 day unless I log out" (or whatever), you
> no longer have to log in to get to your credit card information. So
> obviously, they have secured the session data without SSL (or https).
> How is this accomplished? Is there an equivalent construct in PHP?
>
> Thanks,
> Dino
>

Dino,

You don't "protect the session with SSL". You protect data being sent
between the browser and the server with SSL.

Yes, some of this data can be the session ID (via cookie or URL), and to
be perfectly secure the session ID should be sent over a secure connection.

But obviously EBay has decided this part is not required for their needs
- which is their choice.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

[Back to original message]