Posted by trlists on 04/09/05 21:51

On 9 Apr 2005 Ryan A wrote:

> This certainly has turned out to be an interesting discussion.....I
> usually send the info via sessions...how bad is that?

Well if you are using sessions it is worth thinking about session
security, for example:

http://shiflett.org/articles/the-truth-about-sessions
http://www.acros.si/papers/session_fixation.pdf

Beyond that -- what info are you sending?? Session data is stored on
the server, not at the client, so the security is as good as for
anything else on the server (assuming of course that session data is
outside the web document tree).

Personally there is little if any data that I would encrypt when saving
it as session data (maybe CC numbers, if I had to save them across
pages at all, or maybe passwords, but nothing else), because I think
that's a weak defense. If access to your session data means they have
gained access to the server then they can also find the code you use to
decrypt that session data, so it is just one more small obstacle, not a
true defense.

Another point is that this might require a different analysis on a
shared vs. dedicated server as a shared server may well be less secure
than a dedicated server, and a dedicated server you don't physically
control (e.g. colocated) may be less secure than one you do.

--
Tom

[Back to original message]