Reply to session security

Your name:

Reply:


Posted by Marcus on 11/16/79 11:28

Hello,

Currently all of my php pages use SSL, not just my initial login.
Originally I thought this would be more secure, but after thinking about
things and looking at sites like Amazon and Gmail, they all SSL the
login scripts and then use regular http for everything else, which I'm
sure speeds things up without the encrypt/decrypt process.

I was going to change my scripts to reflect this model, but I saw in the
php manual the following:

"There are several ways to leak an existing session id to third parties.
A leaked session id enables the third party to access all resources
which are associated with a specific id. [...] Second, a more active
attacker might listen to your network traffic. If it is not encrypted,
session ids will flow in plain text over the network. The solution here
is to implement SSL on your server and make it mandatory for users."

This seems to conflict with what the big sites do. I would really
appreciate any guidance as I have been reading all morning on packet
sniffing and session fixation etc etc, but the wealth of information out
there makes it all very confusing.

Lastly, I was also wondering if it matters that I use mysql_connect() on
every page in the event I do not SSL every page... please correct me if
I am wrong, but since it resides on the server, I don't *think* the
database password, which is stored in the php file in plain text, should
ever actually be transported across the network. I have not been able
to confirm this however.

Thanks so much in advance.

[Back to original message]


Удаленная работа для программистов  •  Как заработать на Google AdSense  •  England, UK  •  статьи на английском  •  PHP MySQL CMS Apache Oscommerce  •  Online Business Knowledge Base  •  DVD MP3 AVI MP4 players codecs conversion help
Home  •  Search  •  Site Map  •  Set as Homepage  •  Add to Favourites

Copyright © 2005-2006 Powered by Custom PHP Programming

Сайт изготовлен в Студии Валентина Петручека
изготовление и поддержка веб-сайтов, разработка программного обеспечения, поисковая оптимизация