| Re: Best practice, (secure), to save session data? [message #178406 is a reply to message #178405] |
Thu, 14 June 2012 16:30   |
Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma:
|
Senior Member |
|
|
On 6/14/2012 8:52 AM, Chris Davies wrote:
> Simon<bad(at)example(dot)com> wrote:
>> the way I see it, if they can get the session cookie then they can
>> just as well access the base64_encoded data anyway.
>
> Almost.
>
> 1. If you put the data in the session cookie as base64 then it can be
> decoded and viewed any time someone likes. No security.
>
> 2. If you encrypt the data into the cookie using a secret known only to
> the website then at least someone has to go to the bother of trying to
> brute force the data string, but they have as much time as they like to
> do so. Password security.
>
Incorrect. They don't need to break the string. All they have to do is
send the cookie. The server doesn't care which client the cookie came from.
> 3. If you put a session key in the cookie with, say, a 4 hour timeout on
> the webserver side where the real data is stored, then after the timeout
> has expired the session key is useless to anyone trying to obtain your
> client's data. Time security.
>
Yes, but if there's personal data, 4 hours may be too long.
> You have to trade off password-based vs time-based security. Generally
> #3 is the preferred solution.
>
> Chris
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]